Over at Broadband reports there is a thread that starts:
“my friend sent me a exe file he said scan this with my antivirus and then no virus so i open this file and two reg line came added this %sytemroot%\mgs.exe %systemroot%\expolorer.exe to the start up and here the link to this file ”
That’s one of those things where I wanted to bust out laughing and beat my head against the computer at the same time.
Just to be clear:
1. Never run viral code unless you know what you are doing. That would typically include a test machine and maybe a test network. At least a good firewall to prevent yourself from infecting others.
2. Just because your antivirus doesn’t detect on what you suspect to be a virus, that doesn’t mean its a good idea to run it just to see what is done.
3. If you have a file you suspect is a virus, upload it to www.virustotal.com. That will scan it with several antivirus scan engines so you’ll have a better idea of what is up.
Perhaps this guy did know what he was doing when he ran the code. It just sounded so odd the way he wrote that so I figured it was a good teachable moment.
Archive for May 2005
What Not to Do
Big Damn Hero
Rick Rescorla was the Security Head for Morgan Stanley at the World Trade Center. His is one story that cannot be told often enough.
After the 1993 truck bombing at the WTC, he drilled the employees of Morgan Stanley with emergency evacuation procedures. Because of this preparedness and his call for to evacuate on 9/11/01 everyone in Morgan Stanley made it out but for himself and two of his staff. Unfortunately emergency evacuation procedures call for making sure everyone else gets out first. Rick died when the tower he was in collapsed as he performed his duties doing a floor by floor search for stragglers.
I just found out that Amazon has a book on his life Heart of a Soldier. I cant wait to get it.
Rather than do a further recap of Rick’s life, here are some links. If you can keep a dry eye while reading that you are much tougher than I am.
http://www.mudvillegazette.com/archives/000307.html
http://www.post44.org/misc/rescorla.html
http://www.newyorker.com/fact/content/?020211fa_FACT1
“Free” Security Mags
Do you subscribe to any security magazines? There is CSO, Information Security Magazine, and SC Magazine. There are probably others I haven’t thought of.
All you need to do is provide some information. What is your security budget. What is your purchasing authority. What types of products do you plan to buy over the next 6 months. Give away some information and get a free magazine.
Kind of ironic that security magazines would rely on information disclosure as a core part of their business model. I can live with that since the information is so generic. The problem is when they keep asking me to fill out the form to resubscribe after I’ve already done it. I just had a “Barbara” from SC Mag hang up on me when I told her I had already resubscribed twice and asked how many times I needed to resubscribe before I they stop asking me to do it.
Strong Process Controls bring Security
Gene Kim, the CTO of Tripwire did a study of hundreds of organizations in late 2002 and early 2003. He found that many organizations were struggling with patch management and with system administrator to server ratios of 1 administrator to 5 or 6 servers. Other organizations were humming along with ratios that had one administrator to a hundred servers. The 1:100 organization had strong security. The difference he found between the organizations is policy and controls in place.
The tripwire website has an article goes along with this. What is needed is a prevailing culture of change management, rigorous configuration management practices, and a heavy reliance on release management.
At work, there is an initiative to implement IT Service Management. Administrators have responded with reticence. There are fears that the sys admins job will be nothing more than updating knowledge base articles and disaster recovery plans. The feeling is that System Administration is a dark art rather than a science. From the reports of Gene Kim it sounds like there is a lot of improvement if the process can be implemented correctly.
Security not an Afterthought
You wouldn’t build a house and then add electricity after the fact. It would end up costing you much more. You would need to rip out the walls to install the wiring. The inspections done by the local authorities need to take place as the building is going up to insure that the installation is safe.
The same is true for security in the projects at work. Security is most effective when planned and implemented throughout the entire lifecycle.
What’s Important
Microsoft released a Windows Explorer patch yesterday with a rating of important. The exploit is that under Windows 2000 using the web view (which is the default) if you click on a specially crafted file it will run code of the attackers choice.
Now to me that seems kind of critical. I guess its only rated Important because it requires user interaction. User must save the file to disk rather than opening the file directly as in an email attachment. Next they must open it in Windows Explorer.
You can see examples of an exploit file over at security focus.
http://www.securityfocus.com/data/vulnerabilities/exploits/copy.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/simple.doc
http://www.securityfocus.com/data/vulnerabilities/exploits/rename.doc
I just found the page where Microsoft details how it defines vulnerability severity. For Microsoft, to be considered critical a vulnerability must not require user interaction.
Critical
A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.
Important
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
Moderate
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
Low
A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.
Social Engineering
I was home last week when a couple of guys knocked on my door. I hate it when people ignore the no solicitation sign that is at the entrance to our community.
They were wearing Honeywell shirts and said they were in the neighborhood offering to upgrade five people to the latest greatest alarm system for free.
I talked with them a bit about what the alarm system could do, and they did talk a good game. But the situation seemed kind of hinky to me. Isn’t that just what a bad guy would do to try and find out what security protections I have.
Website Hijinks Part 4
I got back from a mother’s day trip, and I see that tgp.la’s registrar has given them the kaibosh.
http://whois.dotregistrar.com/drs/wwwhois.pl?domain=tgp&tld=.LA&Check=Check
Status:PENDING DELETE RESTORABLE
Status:HOLD
Also the glue records that were in place on the root servers is gone. I dont want to be premature here, but I think we’ve stopped the tgp.la hijack. 
I suspect the hacker’s next step will be to attempt to remodify all the home pages on powweb. With tgp.la offline and unlikely to return, they’ll need a new domain for a new attack.
Website Hijinks Part 3
Tgp.la was offline last night. I assume that someone got to the bad guys webhost and had him termed for abuse. By this morning the site was online and pointing to a new IP address. These bad guys are experienced at playing wack-a-mole. If you take out one site, he’s ready to pop up in a new location.
I contacted the new webhost (still no word from them) as well the bad guys dynamic dns provider everydns. everyDNS responded before I returned from lunch. They have pulled the guys dns and redirected it to a “termed for abuse” webpage. So I’ve got one confirmed kill thus far.
The problem is that doesn’t slow him down much. The guy just goes to his registrar and change authorized dns servers. So I’ve contacted the guys registrar to see if we can terminate the domain itself for abuse. That will prevent any further exploitation on these sites with the iframe pointing to tgp.la. Of course, the bad guy will then register a new domain, but he will have to start from scratch. Since no one has figured out how this was done in the first place, we’ll probably find all the sites infected again with the new url.
Happy Blogaversary
Today is my one year aniversary of blogging about Information Security. I think over the year I’ve been more or less faithful to my goal of updating 5 days out of 7. Hopefully some of it has been useful to the readership. I’ve certainly enjoyed doing it.
Here’s to another year of securing our computers.
