Alternative Data Streams (ADSes) are a substructure to NTFS. These “streams” are not visible to the Windows file system and thus can be used to hide malicious code. A couple of years ago there was great wringing of hands over the inability of antivirus vendors to detect files hidden inside ADSes. It seems that this has not been rectified.
In the June issue of Information Security Mag, Ed Skoudis compares several antivirus products. When testing these hidden streams, he found that most antvirus vendors are still lacking.
Aware of the threat, but not really educated yet, I searched further. I found a Computerwold article posted to the Symantec site. It said that
1. Alternate Data Streams cannot be removed from a file. The original file will need to be deleted.
2. Windows File Protection introduced in Windows 2000 cannot prevent hackers from adding an ADS with hidden executable code to a system file.
3. Users without “write” permissions to a file cannot add an ADS.
I also found a really cool GIAC paper by Jeff Garrett. In the paper Jeff demonstrates how to use netcat in a ADS to avoid detection by an administrator. Very cool stuff!!
It looks like for now this is more evidence for the need to not perform day to day computer tasks as the administrator. Furthermore it may be a good idea to check on whether your antivirus company scans ADSes.
Archive for June 2004
Alternative Data Streams
Attack on Akamai takes down top Websites
The Washinton Post is reporting that the Tuesday morning outage of sites that use akamai (Google.com, Microsoft.com, liveupdate.symantec.com, etc) was due to a distributed denial of service attack.
Akamai is a content distributer used by high-traffic websites. When you go to a site like liveupdate.symantec.com you are given a site close to your geographic region (and also via DNS round robin). Often large ISPs have their own akamai server to limit the amount of bandwidth used on their Internet pipes. Because of the large number of Akamai servers, it is very difficult to attain a world wide effect. It would take a large number of compromised hosts being used for a denial of service attack. Russ Cooper of TruSecure speculates that this could be an exploit in the Akamai software itself.
At the time of Code Red, many companies were rudely surprised to find their servers being used in a denial of service attack on www.whitehouse.gov. We need to take the steps necessary to make sure that corporate computers are not vulnerable to this type of exploit. And also that this is detected quickly when installed on employee systems.
FTC says NO to Do Not Email List
Although authorized by the (YOU)CanSPAM act to create a national email list, the Federal Trade Commission has declined to do so according to news.com. The article quotes commission members as saying such a list would be ineffective and burdensome to the consumer.
Instead the highlighted two emerging mail authentication technologies SPF and Domain Keys as like effective weapons in the anti-spam battle.
I tend to agree with this assessment. Unless your mailbox is already hopelessly over run with spam and cant get any worse, I would never risk giving out my email address to an anti-spam list.
Wireless Insecurity
Looks like the wireless routers we all use are getting some attention. And not for the insecurity we all know about in 802.11x. Last week the Linksys WRT54G was reported to allow remote users access to the admin console even if remote access was turned off. If a user hadn’t changed the default password that was an immediate problem.
What could happen? I’m just thinking here, but a hacker could potentially set the linksys to allow all ports through to your desktop. So all you people who have been letting the linksys do the work, and not running a desktop personal firewall and not doing you’re patching would be in serious trouble.
Is something like this going to end up in a worm? More likely a hacker would scan a range of known cablemodem/dsl IP addresses to collect vulnerable linksys routers. Then they’d do the work of changing the machine as necessary, then they’d try to own your box. Just when you think you’re secure, you’re busted.
Enough about last weeks vulnerability. This week the NetGear WG602 is reported by ARS TECHNICA to suffer from a trapdoor left by a Netgear partner.
Any user logging in with the username “super” and “5777364″ is in complete control of the device.
Fortunately this cant be accessed by just anyone on the internet like the Linksys problem.
Unfortunately, they dont seem to provide us with a way to restrict administration to only the WIRED portion of the local network! The Orinoco would allow us to not let wireless users administrate the product.
So to hack my Netgear you need to be in my house connected via the wired network, OR you could be outside my house trying to first break my wireless security. Of course if you did either of those, you’d pretty much have direct access to my network anyway.
With all the easier targets out there, you’d need to specifically be after me to go to all that trouble to break into Netgear.
In an informal survey of system between my home and office, more than half were running Linksys. I did not stop to see if the Linksys routers were vulnerable. 
No Honor Among Thieves
According to a Kevin Poulsen article over at Security Focus, the Optix Pro backdoor program has a trapdoor left by the programmer. Trap doors are flaws that designers place in programs so that specific security checks are not performed under certain conditions. In this case it is a special “master” password that will let the author into any system on which the agent is installed.
It is quite common to try to amass armys of computer under your control to sell for use by spammers or to perform denial of service attacks on your enemies. It wouldn’t do much good for anyone who wanders by to be able to take control, so the systems are secured so that only the hacker can control it. The most rudimentary method of controlling access is the password. This trapdoor gives the programmer access to any infected system, not just those that he installed.
The lesson to be learned here is that the code you download is only as trustworthy as the programmer. If you think you are playing with hacker tools, you’re probably best off using a test machine that will never be used to connect to anything of importance. Even when downloading “legit” software, you need to remember that you are placing trust in the programmer, the website operator, and your internet connection.
this office virus free for x days
Do you I.T. workers ever notice that you get a bonus check for when things don’t go well? A virus gets through the defenses and the company loses the ability to work for a period of time. You rack up the overtime and get an award check and maybe even lunch. Does that seem right to you? You work and work to keep the company virus free to little recognition, but when the goalie lets one slip through its recognition time.
I should put a disclaimer here since I know my management reads this. Where I work is really cool. They realize that although I feel like any virus incident equals complete failure on my part to secure the network, it really isn’t possible to do that. The users want to maintain too many rights so a balance has to be struck between security and usability. Sometimes that causes problems. And they have rewarded me for keeping the place virusfree for the most part.
I was thinking it would be funny to put up a sign,”this office virus free for x days. Do your part to keep us safe.” The thought of that just cracked me up and became the impetuous for this entire post.
(click to enlarge)
Montp.f virus targets your online bank activity
http://www.f-secure.com/v-descs/montp.shtml
Montp.f is actually a rather clever virus.
When you connect into your bank or use webmail you are likely making a secure connection using SSL. You’ll notice a little “lock” icon down in the system tray and a https:// prefix up in the address field. That means that the traffic between you and them is encrypted so that no one can eavesdrop on it.
What you probably didn’t know is there are troubleshooting tools to allow you to see the traffic going by anyway. One way to do this is to set a couple of registry keys, and install a dll. Immediately you’ll start collecting a clear text log file containing all of the traffic.
This virus does something very similar. But once it collects the data, its not trying to help you. Of course not. It searches the collected data to see if you went to one of 74 bank websites along with some other websites that have passwords. If you have been to one of those sites it collects the relevant login information and sends that information to the author via the Internet.
That’s where this virus isn’t as clever. Attempting to upload to a static IP address is not going to work. Sites like these usually get shut down rather quickly.
The virus also attempts to kill processes for security related software (antivirus).
All in all, you’ve got to hand it to them for this one. Two thumbs up for the information collection feature. They’ve got to work on a better way to get the information back to themselves without being caught. I’ve got a few ideas on the subject.
Sorry for the delay in posting
Normally right after I apologize for a delay in posting, I follow that up by not posting for an even longer period. So I’ll try to avoid that trend this time.
Over the weekend we had a test of our disaster recovery procedures. The SAN containing our mail data, desktop backups and file server went south and we spent a bit of time recovering from that.
Here’s some thoughts (not all of it had to be learned the hard way)
1. Alerting is always good. You want to find out about these things as early as possible. I had a page from Unicenter that I interpreted as being about disk size but apparently it was trying to say “disk gone”. If I hadn’t wondered through work, I wonder how long that would have gone unnoticed.
2. You need a hard copy of your disaster recovery plan, or at least some people’s home phone numbers. Its not good for it to be on the server that is down. (apparently there was some concern at providing us low level people with everyone’s home information because we might go egg their houses. We’re all in I.T.. We can probably figure out where you live already.)
3. Plan for the worst case scenario. It could happen.
4. Backup software is worthless if it cant restore the entire server.
5. In time of a disaster, everyone is needed. Sometimes even if you don’t have knowledge about specific software, you can be a sounding board, or just run out for donuts.
Spyware part 2
This is part two of a look at what we can do to keep Spyware off the corporate computers. Part 1 is posted here. I’ll do my best not to repeat myself.
Antivirus vendors are expanding into the area of Spyware products. I think I would prefer to use them as the corporate spyware solution. You don’t have to install an extra product, you don’t have to pay for another product, you get to use a known administration scheme. For this reason I chose to review Symantec Antivirus Corporate Edition version 9.0 first.
SAV 9.0 CE
Normally I wouldn’t go near the first build of a Symantec release, but enticed by the potential protection against Spyware and some other new features, I jumped right into testing.
Pros
A Trusted company. Likely to become a leading player in anti-Spyware
Single application for both antivirus and Spyware
Version 9 has greatly improved real time protection (its faster and it starts earlier)
Threat source, not something to help with antivirus but cool in tracking down file share attacks.
Cons
How good is their Spyware definitions set really? Its an unknown.
Only works in manual and scheduled scan modes. No realtime protection.
Only logs or deletes the files it finds. It doesn’t uninstall Spyware for you.
BSOD when I attempted to install 9 over 7.03. Not good
Potential problems with XP service pack 2 (need to set registry keys)
Potential error with Outlook plugin.
Problems with uninstall of previous version where install path not available (curse you MSI)
Conclusion:
Until the outlook problem is fixed, this is a no go for us. ETA for fix, late June or July.
Adaware or Spybot
I’m lumping these two together. I don’t use adaware, but I believe it has the same problems
pro
Able to remove files to a quarantine and restore them if necessary.
Large established Spyware database
Familiar interface for the “advanced” users
Con
No centralized reporting
No centralized update
No centralized scheduled scans
Conclusion
Not ready for the corporate world.
Pest Patrol
These guys have a new version due out on Monday. I am reviewing the earlier version at this time.
Pro
Ability to run from login script, pretty cool.
When run from login script, you only need to update the server
Real time protection
Con
Their implementation guide requires a INSECURE implementation method in which all authenticated users have permissions to the files in the login script directory. This is really bad.
The database seems a bit overly broad. I think I’ve removed the categories, but I am worried about false positives as recovering from a false positive doesn’t seem as simple as with spybot.
Alerting is email only.
If run on the local systems, my sole ability to manage it is by setting up a scheduled task to run a scan
Conclusion
Not ready for prime time. Lets see how the next version does. It looks promising based on the info I have been sent.
Webroot Spysweeper Enterprise
The corporate version is in beta. I have not been contacted after leaving my contact info on the sight. It does sound promising.
Websense
Websense would only really make sense if you already own it or if you have a project to block porn also. By adding the Spyware category it prevents systems from going to sites listed as Spyware in their database. This can prevent new installs and prevent old installs from phoning home. I think this is a good part of a two layer approach.
Overall Conclusion
Sometimes companies like Garter say the field is maturing…there is no perfect product…just buy now and limit the damage. The problems is you are being charged premium prices for an imperfect product. Also the “experts” will give us grief if we implement something that isn’t as easy to use as their favorite product. Since NO Spyware product has a perfect detection rate (from anecdotal evidence) they are bound to remind us how defective our product selection was. You can see why I might want to delay a decision for a while.
Russ Cooper on Windows Security
Russ Cooper recently did a presentation to the Australian CERT analyzing Microsoft Security Bulletins. His post about that presentation is available at NTBUGTRAQ.
Microsoft PR has been comparing patch amounts for Microsoft Operating Systems and other OSes to demonstrate that the computer security initiative is working. The problem is that ‘number of patches’ only tells part of the story. Each patch is often taking care of multiple vulnerabilities (see MS04-011 for one example). You really need to break it down by vulnerability to get an apples to apple comparison. That is the meat of Russ’s demo.
Russ’s method fails to take into account vulnerability severity. He does however avoid a common pitfall where browser, webserver and operating system vulnerabilities are all lumped into one category.
Russ’s conclusion is that vulnerabilities stay in Microsoft code. When a vulnerability comes out it is often for NT4, 2000, and 2003. He says generally when a vulnerability does not occur in 2003 it is not because the code was cleaned up, it is because of improved configuration to avoid specific problems. Thus those who upgrade versions for security reasons are not gaining the improvement they seek. They could just as easily configure an earlier version in a secure manner in his opinion.
I think that some of his comparisons are unfair. When you compare the first x days of Windows NT4 to Windows 2003 you do a disservice to Windows 2003 when you conclude they have the same number of vulnerabilities. The full story would point out that Windows Server 2003 is a major target for the anti-Microsoft crowd. NT4 was a little more under the radar.
Russ had a slide in his presentation which reads “older is better”. I hope in his presentation he articulated that he meant only in terms of vulnerability numbers. Newer versions have new security tools that make them easier to configure. Newer versions have improved features and stability. Of course Russ would reply that the new features are just new security opportunities. I cant see anyone saying older is better unless they are talking about wine.
I am afraid that Russ’s analysis that “newer versions have more vulnerabilities than older versions… it is not getting better” will become the new chorus for the uninformed Microsoft basher. Russ isn’t a Microsoft basher, but I dont think he is presenting the full security picture when he reduces “better” to vulnerability numbers, particularly vulnerability numbers outside the context of severity. (He says he considers exploitability but he only seems to do that with IE).
Russ cites a TrueSecure survey which states that unless you achieved 100% patching with Sasser you were in were state than if you didn’t try patching at all. That seems counterintuitive. Particularly when he does on to say that 100% patch compliance is not verifiable. Perhaps he meant to say corporations not focused on patching as their sole security solution were able to lessen the effects of Sasser through other security means. Or perhaps they just got lucky.
He also oddly states that too much effort is being expending on keeping IE patched. He states that there have only been 2 wide spread attacks involving IE vulnerabilities. Certainly there is great fear with IE vulnerabilities because port 80 is not protected the way other ports are. I think it is worthwhile fear based on the number of javascript exploits I see detected by antivirus in the browser cache. I also think there is a lot of phishing (which can us a browser exploit to hide the true address if you are not patched. Further I think a lot of spyware gets in through IE vulnerabilities. Perhaps Mr Cooper would like to share with us the “secure” IE configuration he uses that makes patching unnecessary.
I would recommend reading this article. It is always important to get new viewpoints particularly when they are not from a rabid anti-Microsoft basher. He raises some good points about patching numbers from Microsoft that you should be aware of so you are not snowed by PR.
