View the video

As always, we love to hear your feedback, so take a look and let us know if you have any questions or have an application that you would like to see profiled.

Microsoft released a security advisory on Aug 23 that discusses a remote attack vector that allows an attacker to remotely take control of user’s machine. The security advisory was in response to a report released by a security researcher the previous week that described how more than 40 Windows applications could be compromised due to the way Windows applications load DLLs. Palo Alto Network’s Next-Generation Firewalls can help thwart/mitigate such attacks by using App-ID and Content-ID technology (details below).

What customers should do

The attack is best controlled by introducing firewall security policies that block SMB (Server Message Block) or WebDAV (Web-based Distributed Authoring and Versioning) traffic from traversing the trust to untrust zones (see scenarios below). A recent US CERT advisory advised similarly. Security best practices indicate that most enterprises should have such policies in place on the perimeter firewall unless there is a need to allow Internet-based SMB or WebDAV traffic.

Scenario 1:  Internet-based SMB and WebDAV is not allowed/needed

Fix: Introduce a firewall rule to block traffic for following applications (webdav, msrpc, ms-ds-smb, netbios-ss) from trust to untrust zone.

Scenario 2:  Internet-based SMB is not allowed/not-needed but WebDAV is allowed/needed

Fix: Introduce a firewall rule to block SMB traffic (applications: msrpc, ms-ds-smb, netbios-ss) from trust to untrust. Introduce another firewall rule to allow WebDAV traffic (application: webdav) from trust to untrust and add a file blocking profile that blocks DLL file-type.

An additional layer of protection can be implemented by implementing a threat prevention (Antivirus) policy to detect and block any known malicious DLL files. Customers can choose to apply an antivirus profile on firewall rules (default action for any virus detected over HTTP or SMB is block so the default antivirus settings would work).

Customers are also recommended to check Mitigating Factors and Workarounds posted in Microsoft’s Security Advisory.

Attack Details

The DLL attack is in fact a classic attack and is OS-agnostic — if an application needs to find any library (DLL in case of Windows), it looks in the each of the directory (in order) mentioned in the PATH shell variable. If an attacker places the malicious library in a directory that appears in the PATH variable “before” the directory containing the genuine library, then the attacker can have his/her malicious code executed by the application. For such an attack to happen, two things are required:

1. Application loading the library uses relative library name instead of full path (this will cause the library to be searched in directories mentioned in PATH variable)

2. The malicious library that needs to be installed is present on the local machine.

The new research finding relaxed the second requirement. This causes the threat surface to increase dramatically in the sense that the attacker can now create a data file that the vulnerable application can open, create a malicious library that the vulnerable application would invoke and host both files on an Internet-based network share that the user can access. If somehow the user can be lured into accessing the specially crafted data file then the vulnerable application would execute the malicious library that will cause the attacker’s code to run the local machine.

It is to be noted that the threat applies to only those windows applications that load DLLs by using the DLL name only and not using the absolute path name of the DLL. If IT personnel are interested in finding what vulnerable applications exist on a given machine, they can use a public program available from metasploit (For obvious reasons, Palo Alto Networks does not guarantee the correctness of this program).

http://blog.metasploit.com/2010/08/better-faster-stronger.html

This attack is also described in a Microsoft blog and US CERT Technical Alert TA10-238A.

1. User visits a website which starts a chain reaction for torpig-infection

There are 2 ways in which this can happen:

a.   User is tricked into going to a website that he/she didn’t intend to go in first place

This is also known as a phishing attack. Once the user visits such a website, the website would start downloading exploits to user’s computer without user’s intervention. Such downloads are also referred to as drive-by-downloads in the sense that the user didn’t have to explicitly download the exploits; just by the virtue of visiting the website would cause the download to happen.

Such attacks can be usually nipped in the bud by a URL filtering solution that would detect user’s traffic going to a pre-categorized malware website. Our next-generation firewalls provide URL filtering solution that can help in detecting such traffic and thereby preventing the attack.

b.  User goes to a popular website that has been recently hacked into

This happened recently with songlyrics.com. The website was hacked into and the HTML content of the website was modified to include a malicious <iframe> that in turn directed the user’s browser to go to a malware hosting site. Note that <iframe> by itself is not harmful, in fact it is part of standard HTML specification. It’s just that some usages of <iframe> could be malicious and as such it is important that any signatures protecting against malicious <iframe> are written such that they don’t generate false positives. Palo Alto Network’s next-generation firewalls currently have three such signatures to detect malicious iframes.

<above information is available on support.paloaltonetworks.com website under “Threat Database” link>

2.   The <iframe> in the page directs the user machine to go to a malware site and download exploits

As mentioned earlier, the <iframe> would direct user’s browser to a malware hosting site, which can once again can “very likely” be caught by the URL filtering solution. I mentioned “very likely” because it depends on how long the malware website has been up; if the website is very recent, it is possible that the URL filtering database has not yet tagged the website as malicious.

In any case, lets assume for now that the URL filtering does not stop the traffic. Now the malware site will start throwing exploits at the user’s computer trying to exploit an un-patched or even zero-day vulnerability. Once that vulnerability is found, the malware site would download the actual malware/virus to the computer that will cause the computer to become a “bot”.

Our next-generation firewalls can stop such an attack using our vulnerability-based signatures. Here, it is important to distinguish between vulnerability-based signatures versus exploit-based signatures. A single vulnerability-based signature can protect against all different attacks that try to take advantage of that vulnerability. Exploit-based signatures, however, protect against only certain attack vectors. Clearly, it is desirable to  have vulnerability-based signatures as they provide the most comprehensive protection.

At Palo Alto Networks, our threat team spends considerable time in understanding vulnerabilities and creating signatures to protect against the vulnerability itself. In fact, Palo Alto Networks Threat Team has been recognized several times by Microsoft for discovering and reporting Microsoft related vulnerabilities. Palo Alto Networks is the only private company in the top 5 list of companies that have reported vulnerabilities to Microsoft.

Additionally, customers should be mindful of the packet latency when vulnerability protection is turned on. Due to its single-pass architecture, Palo Alto Network’s next-generation firewall scans the contents only once, the results of which are used in vulnerability/spyware/virus blocking, file blocking and URL filtering. Particularly our antivirus solution is stream-based versus being file-based. File-based antivirus solutions first download the entire file and then run virus checks on the file. This results in increasing packet latency through the device. Stream-based solution does virus checking while the file is in transit. Clearly, the latter solution would be preferred from user perspective.

Coming back to exploits, once the user’s machine is successfully compromised, the malware website then downloads an executable file (virus) which in case of Torpig causes installation of Mebroot. Most IPSes do not cover virus protection. Palo Alto Network’s next-generation firewall, however, provides strong antivirus solution. We receive several thousand virus samples from our partners. Our threat team analyzes the samples, looks for malicious patterns in the files and then subsequently defines virus signatures that detect several samples. This helps in reducing virus signature footprint.

Specifically for Torpig, we have over 6400 signatures to capture torpig-related malicious executable files. These signatures provide coverage against roughly 12,800 malicious samples (each torpig signature on average covers 2 samples).

3. The malicious code installed on victim computer sends personal info to Torpig’s Command and Control servers

This is the step that makes money for the hacker (by stealing personal financial information from the victims).

Currently, we provide three signatures to capture such traffic. Once again this is a cat-and-mouse game between hackers coming up with different traffic profiles for connecting to command and control servers and anti-spyware vendors blocking such traffic with unique signatures.

In the picture above,  2nd signature (12657) corresponds to the DNS traffic that our threat team identified to be corresponding to Torpig DNS requests.

Following is the packet dump for DNS traffic from Torpig: The blue part is IP header; red part is UDP header and the rest is DNS response. As you can see from the packet, one of the name servers (which is actually the authoritative server) is torpig.sinkhole.org.

0000  00 16 d3 2d 22 b4 00 18  73 d7 08 5d 08 00 45 88 …-”… s..]..E.

0010  00 71 00 00 40 00 33 11  0b 93 c0 36 70 1e 0a 01 .q..@.3. …6p…

0020  01 0c 00 35 46 e4 00 5d  24 13 00 08 80 00 00 01   …5F..] $…….

0030  00 00 00 02 00 00 08 79  61 7a 74 69 72 70 61 03   …….y aztirpa.

0040  6e 65 74 00 00 01 00 01  c0 0c 00 02 00 01 00 02   net….. ……..

0050  a3 00 00 19 03 6e 73 31  0f 74 6f 72 70 69 67 2d   …..ns1 .torpig-

0060  73 69 6e 6b 68 6f 6c 65  03 6f 72 67 00 c0 0c 00   sinkhole .org….

0070  02 00 01 00 02 a3 00 00  06 03 6e 73 32 c0 2e      …….. ..ns2..

We created a signature to catch such DNS responses. Now, whenever the signature is triggered in a network, one can be pretty sure that they have torpig-infected systems in their network.

Overall, to effectively block or mitigate such attacks, any threat prevention solution needs to be comprehensive without significant performance degradation. Our next-generation firewalls combine all elements of threat prevention together (URL filtering, Vulnerability-attack protection, Spyware protection, Virus protection) at hardware-accelerated speeds and provide risk mitigation for botnet-related attacks.

External links for Torpig:

http://en.wikipedia.org/wiki/Torpig

http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf

In both cases, the attackers patiently collected information on their targets, taking any length of time to collect the desired data points using a combination of traditional social engineering techniques, updated for today’s web 2.0 world. Social networking sites can help uncover corporate roles or answers to security questions. Hijacked social networking user credentials can be used to convince a user to click on a URL with embedded malware, thinking it was from a friend. The malware in turn collects data such as user names and passwords that is used to help achieve the objectives. Some telling statistics from the data breach report

• Zeus successfully stole more passwords than phishing and SQL injection attacks by a 2:1 margin.
• 54% of the malware found was customized specifically to the target.
• Database servers represented 25% of the breaches investigated, and 92% of the records stolen.
• Most surprisingly, none of the breaches were achieved because of an un-patched vulnerability.

There are several bright spots that can be taken from the report and they revolve around vigilance. In the banking article, users profiled were vigilant about keeping their money safe. Working with the bank, acting quickly when something strange occurred, such as an email verification of an address change.

In the corporate world, vigilance is clearly being exhibited by the fact that no vulnerability exploits were used to affect the breach. So either servers are being patched more effectively, or attackers merely ignore or avoid those high profile targets. Unfortunately, the report also showed that in some case, vigilance was lacking. There were signs found in log files (after the fact) that could have been used to uncover the attack in process, or sooner than the original discovery. So we as a profession need to either find the time to sift through logs, or the tools need to do a better job. Or perhaps both?

Take a read for yourself. We’d love to hear your views.

Since it relies on Wi-Fi connectivity, corporate networks will have to carry this traffic as employees begin to use it inside the Enterprise. For enterprises that do not want to install and manage their own SIP network, it serves as an out-of-the-box mobile video calling solution.

However, some security admins are wary about the numerous ports that must be opened in their firewalls to allow FaceTime calling. Apple’s note on their support site states:

If the Wi-Fi network router that you are connected to uses a firewall or security software to restrict Internet access, contact the network administrator and reference this technical article. To use FaceTime on a restricted Wi-Fi network, port forwarding must be enabled for ports 80, 443, 3478, 4080, 5223, and 16393-16402 (UDP).

We say, you can have your cake and eat it too! App-ID technology allows admins to identify and control the traffic based on the specific applications and not just ports and protocols. So to permit FaceTime calling, you only need to create a policy in the firewall to allow the facetime App-ID. And if not already allowed, you are alerted to allow the applications it depends on: sip, stun, ssl, jabber (xmpp), and ichat-av.

Instead of manually opening the entire suggested ephemeral UDP port range, the built-in SIP application-level gateway (ALG) dynamically opens media ports for RTP/RTCP. And when using NAT, it ensures proper translation of addresses and ports in the SIP payloads.

If Apple’s goals of shipping tens of millions of FaceTime devices this calendar year and making FaceTime an open standard are indeed realized, we can expect to see a lot of this traffic on corporate networks in the near future.

For instance, we will cover that the “teenage” perception of Twitter is largely unfounded and why Twitter is a new favorite technology for businesses. We’ll also cover a brief history of the security challenges Twitter has experienced over the years including public battles with hackers, public battles with the FTC and all the nasty things that can happen when the President’s Twitter account gets hacked. Then of course we will dive into specifically how to mitigate these and future Twitter risks, and how security teams can safely enable Twitter for your enterprise users. Take a look, and as always, let us know what you think.

Twitter Application Spotlight

Below, I’ve tried to deconstruct a Yahoo Messenger voice call with the hope of understanding how STUN is used in NAT traversal.

Using Wireshark, I captured the traffic for a call between me (private IP address 192.168.1.3) and a remote user in my own network (private IP address 192.168.1.5).

We first see my IM client do a DNS resolution for Yahoo’s STUN service at ‘beta.stun.voice.yahoo.com’, yielding two IP addresses 68.142.233.76 and 74.

We then see my IM client send STUN requests to both of these Yahoo STUN servers on the standard STUN port 3478. The STUN response in the picture below shows my public IP address/port (called server reflexive candidate) in the MAPPED-ADDRESS attribute as 98.248.136.182/23885.

The public address thus discovered via STUN is then communicated in the SIP (Session Initiation Protocol) session between my IM client and Yahoo’s SIP server (sip120-p3.voice.sp2.yahoo.com  at 98.137.130.123) over TCP. Following this TCP stream on Wireshark, in the picture below, we see a SIP invite from me to my remote party and the payload carries a list of all possible IP addresses/ports (candidates) where I can receive the media flows. The list includes both my private IP address 192.168.1.3/23880 as well as my public addresses discovered using STUN.

The remote party (192.168.1.5) sends a SIP OK message with its own candidate list ordered by priority.

The two endpoints then exchange a series of STUN checks for connectivity to each candidate on the list and arrive at a candidate pair to send and receive media. In this case, the candidate pair selected is (192.168.1.3/23880, 192.168.1.5/19256) – the private addresses of the two end points.

This is how IETF navigates address hiding to provide accessibility. Clients for the proprietary VoIP application Skype and peep-to-peer application Bittorrent are believed to leverage variations of this technique to navigate NAT as well.

Our first video covers the ubiquitous Facebook which you can see here.

Since this is our first of these videos, we’d love to hear what you think about it. Was it interesting and/or helpful? What other sorts of information would you like to see covered? Is there an application that you would like to see highlighted in the series? Any and all suggestions are welcome so take a look and let us know what you think.

This week the Ponemon Institute released a study of almost 600 IT security professionals who overwhelmingly reported an increase in advanced threats and a lack of proper security mechanisms to deal with them. A few important notes:

❯ “Advanced Threat” was defined as a threat requiring a methodology or a combination of techniques as opposed to just one.
❯ 71% of the participants reported an increase in advanced threats compared to the previous year.
❯ 80% believed that their IT management was unaware of the risk posed by these threats.
❯ 70% of threats were found to have evaded IPS and antivirus systems.
❯ IT overwhelming cited a lack of sufficient visibility and proper security technologies as the cause of missing the attacks.

While there are a lot of potential conclusions one could take from those numbers, the very obvious concept that ties them all together is that the current generation of security solutions are not doing their job. Attackers have figured out how to bypass single function systems and security teams can’t see what comes into the enterprise. Sounds like a job for an application-aware firewall that actually knows how to identify what traffic really is and then apply coordinated prevention that integrates IPS, malware prevention, and antivirus all in context. Hmmm…

A Busy Week for Twitter

❯ The saga between Twitter and Hacker Croll seems to be finally coming to a close. Hacker Croll (a celebrity hacker in all senses) got himself and the folks at Twitter into considerable hot water when he exposed weaknesses in the Twitter service by famously hacking into President Obama’s Twitter account. This led to Hacker Croll being prosecuted by his native French government, and Twitter being fined by the FTC. To the delight of conspiracy theorists everywhere, these events were recently resolved on the same day with Hacker Croll being convicted (suspended sentence) and Twitter settling with the FTC on June 24th.

❯ As an interesting aside, the thing that landed Twitter in the most trouble was not the hack itself, but its insistence to the public that user information was completely safe even in the wake of the breach. So the hacker got nabbed for proving publicly that the vulnerability existed and Twitter was hit for denying it – these fights never end well.

❯ Also on June 24th (a busy day for Twitter) researchers in Indonesia demonstrated yet another XSS vulnerability on the Twitter platform, capable of taking over Twitter accounts and spreading malware. The fun never stops.

Old vs New: The original Mustang GT500 and the new, 2010 GT500.

More important then the practice is the reason. It is not to see how productive an employee is or is not – a non-productive employee is a management problem. No amount of technology will fix a lazy or disgruntled employee. No, The reason is to protect the company from both a business and security perspective.

While the practice of monitoring may be time honored, the practice of notifying users is not. Indeed many users do not know the boundaries…and they should.

From the article:

Companies should create and enforce policies that make it clear to employees what their duties are, what the employer’s obligations are and how they each affect the other. A little education can go a very long way to overcoming the distrust that arises when employers try a stealth approach to this very sensitive issue.

Indeed. It is a two way street and education can go a long way–particularly with newer employees who may not know exactly what the employer is monitoring…or why.