antivirus

Oct 15 2009   12:51PM GMT

Google’s Postini services restored - cascading issues caused message delivery issues

Posted by: Troy Tate
Google, cloud services, saas, antispam, antivirus, service outage, service level, incident report, root cause analysis, corrective actions

I recently posted about Google’s Postini - cloud email security service - delivery issues. This is a follow-on post about the incident root cause analysis and corrective actions. Maybe there’s some lessons learned here that you can use in your organization’s service delivery.

The impact on customer email services lasted more than 24 hours while Postini engineers worked to resolve the issues. So, this was not an insignificant event. During this period, messages were delayed and users were not able to get to their quarantines to release messages trapped by filters. Administrators were also unable to access the administration console. The Postini support portal was unreachable at times due to the high volume of users trying to get updates on the event. The support phone line queues were very long and it took a long time to reach a support agent. Nothing like this has happened before in all of the years we have been a Postini customer.

I just received the incident report about the service disruption and wanted to share some of the information with IT Trenches readers. Continued »

Oct 13 2009   7:59PM GMT

Google’s Postini - cloud email security service - delivery issues

Posted by: Troy Tate
Google, cloud services, saas, antispam, antivirus, service outage, service level

Since very early today, US Eastern Daylight Time, Google’s Postini services have been experiencing some service issues. It is unknown as of this writing as to the cause or full scope of the issue. However, when logging into the Postini support portal, an administrator is given the following status indicators:

We have been Postini customers over 4 years now and this is the first time an outage like this has happened. It’s not a full outage as messages are still coming in although at a trickling rate rather than normal expected volumes. This outage is so bad that my ability to login to the support portal is impacted. I receive either an internal 500 server error or “Too many connectionsCould Not Select DB”. A recent update notification said that a secondary Postini secondary data center has been enabled.

The recent GMAIL outage raised some concerns about cloud computing. I wonder if today’s Google Postini outage is a symptom of some deeper Google service delivery problem.

Thanks for reading & let’s continue to be good network citizens! Hopefully you are not trying to send me any messages, who knows how long it might take for the message to reach me today. Otherwise, let me know what you think here in the comments.

Aug 28 2009   4:21PM GMT

BlackHat USA technical presentations available online - not just for hackers

Posted by: Troy Tate
malware, bootkit, rootkit, antivirus, threats, vulnerabilities, research, blackhat, hacker, least user authority, least user privilege, Database, Development, information security, infosec, education

The media archives have now been posted on the BlackHat website from the BlackHat technical conference held in July 2009. This is the place to go if you want to see some of the latest information security research and the threats that are REAL and may become real someday. I posted a previous blog entry on the presentation about the Bootkit - rootkit - malware bypasses disk encryption!

Some of the presentation titles:

I Just Found 10 Million SSN’s

Sniff Keystrokes With Lasers/Voltmeters
Side Channel Attacks Using Optical Sampling of Mechanical Energy and Power Line Leakage

Anti-Forensics: The Rootkit Connection

Reversing and Exploiting an Apple® Firmware Update

The Language of Trust: Exploiting Trust Relationships in Active Content

Mo’ Money Mo’ Problems: Making A LOT More Money on the Web the Black Hat Way

The Conficker Mystery

These are just some of the titles available in the BlackHat 2009 Technical Conference media library. Check it out even if you are a web developer or an IT professional who manages desktops or networks or staff members who perform these tasks. You need to know what you are up against and possible methods to fight the threats.

Thanks for reading & lets continue to be good network citizens!

Aug 19 2009   6:21PM GMT

Can a botnet make me sexy?

Posted by: Troy Tate
botnet, infection, parasite, autoupdate, command and control, command, control, antivirus, configuration manager, systems center, Microsoft, mcafee

Ponder this question. Are there botnets that are sexy and make you more attractive? I got this idea from the Animal Planet (Discovery) show: Monsters Inside Me: Can a Parasite Make Me Sexy? Consider a good botnet (parasite) for a minute. Is something like the McAfee ePolicy Orchestrator or Microsoft’s Systems Center Configuration Manager something like a command and control system for a good botnet? Would that be considered a sexy parasite? Is this just a symbiotic relationship that is good for all?

So, think about it… what are you infected with today that’s doing you good?

Well… maybe it’s not always good to be infected with a parasite so that’s why I say: thanks for reading & let’s continue to be good network citizens.

Aug 14 2009   12:48PM GMT

Bootkit - rootkit - malware bypasses disk encryption!

Posted by: Troy Tate
malware, bootkit, rootkit, antivirus, threats, vulnerabilities, research, blackhat, hacker, least user authority, least user privilege

If you have not been nervous before about someone infecting computers without your knowledge then you should be much more nervous after reading this article.

In 1987 the Stoned boot sector virus came out and was one of the most prevalent viruses of the early personal computer era. As with most malware concepts, this old threat has been made new again.

An 18-year old security specialist gave a presentation on a bootkit/rootkit (STONED) at the annual Blackhat security conference. This bootkit is not your typical bootkit in that it can bypass disk encryption and load itself into memory before the disk encryption software is activated. The demonstration showed the bootkit loading before disk encryption is activated. Once the malware is loaded from the master boot record (MBR), it is then in memory and can download other malware such as trojans to capture banking credentials.

The bootkit software can be installed either by having physical access to the device or by a user with administrative credentials (this makes a good case for the “least user authority” (LUA) principle). Once the malware is installed and activated it is very difficult to detect. According to one article:

Once installed, Stoned cannot be detected with traditional anti-virus software because no modifications of Windows components take place in memory, says Kleissner. Stoned runs in parallel with the actual Windows kernel. Even an anti-virus function in the BIOS can’t stop the bootkit, as modern Windows versions modify the MBR without referring to the BIOS.

Our challenge as infosec professionals is laid out before us. How we deal with threats like these and protect our users and organizations becomes more difficult all of the time. We have to stay on top of our game because the rules and game conditions are always changing.

Thanks for reading & let’s continue to be good network citizens.

Jun 24 2009   6:24PM GMT

Did you see this? - SYSTEM CLEANING: GETTING RID OF MALWARE FROM INFECTED PCS

Posted by: Troy Tate
malware, malicious software, Security, information security, integrity, availability, trojan, bot, botnet, registry, antivirus, anti-virus, av

I don’t know about you but I do get frustrated when a white paper is advertised and it has little or no meat to it. Most times it seems like the whitepapers offered by vendors today are light marketing fluff with little substance to help IT folks do their job better.

I came across a whitepaper/research document today that will help you do your job better if you manage systems that may become affected by malware. This means anyone that uses a computer could get some use from this document and website.

Check it out today. The whitepaper does not require any registration (another pet peeve of mine - check out bugmenot for Firefox if registrations bug you too!). The whitepaper is titled SYSTEM CLEANING: GETTING
RID OF MALWARE FROM INFECTED PCS.

Thanks for reading and let’s continue to be good network citizens.

Apr 2 2009   8:53PM GMT

5 Things we learned from the Conficker non-event

Posted by: Troy Tate
Conficker, patching, Microsoft, patches, lessons learned, malware, network, predicting future, Security, information security, endpoint protection, endpoint, antivirus, anti-virus

1. The media can take a story about Information Technology and say nothing of substance. What did the 60 Minutes story do for the IT industry? It made Symantec look like they could not effectively address security risks and might even create a sense of false security. I wonder how the CBS IT staff felt when it was revealed that some computers had been compromised. Who was this April Fools joke for? Working in IT at times makes you feel like Rodney Dangerfield - “I don’t get no respect”

Continued »

Mar 31 2009   3:32PM GMT

Simple Conficker Scanner tool released - find the infected machines

Posted by: Troy Tate
honeynet, diagnostic tools, Conficker, ms08-067, antivirus, patches, anti-virus, detection, scanning, vulnerability scanning, vulnerability

A Simple Conficker Scanner (SCS) tool has been released by members of the Honeynet Project. This tool can be run under linux or Windows. It runs a specially crafted RPC query against a host or range of IP addresses. The tool will tell if systems are clean or potentially infected. I am running this tool against hosts on my network and I found a Windows 2000 server apparently infected by Conficker. I am in the process of clean-up on that host. It looks like a couple of things contributed to the infection on this computer:

1. Out of date anti-virus. The antivirus signatures had not been updated since January 2008.

2. Microsoft patches not applied.

Folks, the advice about maintaining up-to-date AV and applying patches is good advice. Heed the warnings and save yourself some troubles of clean-up. I will be having a discussion with my operations team about this situation and make it clear that we should have been prepared for this and this situation should not have arisen.

I am also following the advice from McAfee on Combating the Conficker worm

For more details on how the Conficker worm actually works, follow the links in my blog

The Conficker Analysis - are you ready for April 1?

Thanks for reading. Let’s continue to be good network citizens.

Feb 11 2009   8:08PM GMT

Tracking down that user/computer that locks AD accounts

Posted by: Troy Tate
Data security, administration, analysis, antivirus, anti-virus, diagnostics, howto, information security, malicious activity, malware, Microsoft, Microsoft Windows, Active Directory, AD, network security, Password, policy enforcement, reporting, risk, risks, scanning, search, Security, security notification, tools, troubleshooting, Windows, password management, account management

With an environment spanning 18+ sites and more than 3000 computers around the globe, you could understand how challenging it would be to track down what device/user might be locking user accounts. There are tools out there that you can pay for that can help do this. However, Microsoft has some free tools that with a little testing and use will permit you to quickly track down where the account is being locked and address the situation.

We had a situation recently where malicious software got onto a couple of machines and attempted to use the Administrator account to login. We have account lockout on our Windows 2003 AD domain, so after the appropriate number of invalid tries the Administrator account was locked out in the domain. This is because the machines were members of the domain and the malware did not distinguish the local administrator account from the domain administrator when attempting to elevate authority. Note that we use least user authority in our environment so the malware was not able to spread beyond these two machines. We suspect the machines became infected due to out of date antivirus signatures.

Unfortunately, the antivirus we use did not alert us to the situation. The way we were alerted was by our Microsoft Systems Center Operations Manager (SCOM) implementation. It notified the SCOM admin that the domain Administrator account was locked. The operations team was then tasked with tracking down what or who was locking this account. This is where the Microsoft Account Lockout and Management Tools came in use and helped isolate the cause. Continued »

Jan 21 2009   5:10PM GMT

Microsoft guidelines for Turning off Windows AutoRun do NOT work properly!

Posted by: Troy Tate
anti-virus, antivirus, Security, information security, CERT, Windows, trojan, digital picture frame, risks, security notification

One of the information security lists I subscribe to is the US-CERT Technical Cyber Security Alerts. US-CERT is the United States Computer Emergency Readiness Team. If you have information security responsibilities, I highly recommend that you visit their website and register for their mailing lists and subscribe to the RSS feeds to get the latest information on information security issues from a trusted US Government source.

In case you have not seen or heard the latest US-CERT Technical Cyber Security Alert reads as shown below. I don’t know about you but the information in this bulletin really concerns me. I know personally how autorun.inf can affect a computer. I recently received a digital picture frame (DPF) as a gift. It is a very nice one in that it can handle several different types of media and is even an MP3 player. When I connected it to my computer the first time, Windows went through the “new device found” routine. Windows found the device as a standard removable storage device. That was no big deal. However, the DPF has 128MB of internal storage and that storage held an autorun.inf file that referenced a trojan executable! Fortunately my anti-virus detected it and deleted the file before it could do damage. How many consumers do not have antivirus? How would the trojan affected their systems? That is a substantial risk in today’s technology environment!

I would highly recommend taking the steps outlined below to ensure that autorun.inf does not take down a critical system within your organization.

Thanks for reading & let’s continue to be good network citizens.

================================================

National Cyber Alert System

Technical Cyber Security Alert TA09-020A

Microsoft Windows Does Not Disable AutoRun Properly

Original release date: January 20, 2009

Last revised: –

Source: US-CERT

Systems Affected

* Microsoft Windows

Overview

Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft’s guidelines for disabling AutoRun are not fully effective, which could be considered a  vulnerability.

I. Description

Microsoft Windows includes an AutoRun feature, which can automatically run code when removable devices are connected to the computer. AutoRun (and the closely related AutoPlay) can unexpectedly cause arbitrary code execution in the following situations:

* A removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or Firewire device, or mapping a network drive. This connection can result in code execution without any additional user interaction.

* A user clicks the drive icon for a removable device in Windows Explorer. Rather than exploring the drive’s contents, this action can cause code execution.

* The user selects an option from the AutoPlay dialog that is displayed when a removable device is connected. Malicious software, such as W32.Downadup, is using AutoRun to spread. Disabling AutoRun, as specified in the CERT/CC Vulnerability Analysis blog, is an effective way of helping to prevent the spread of malicious code.

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables

Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

II. Impact

By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.

III. Solution

Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the following registry value:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

@=”@SYS:DoesNotExist”

To import this value, perform the following steps:

* Copy the text

* Paste the text into Windows Notepad

* Save the file as autorun.reg

* Navigate to the file location

* Double-click the file to import it into the Windows registry

Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin Atac for providing the workaround.

IV. References

* The Dangers of Windows AutoRun -

<http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html>

* US-CERT Vulnerability Note VU#889747 -

<http://www.kb.cert.org/vuls/id/889747>

* Nick Brown’s blog: Memory stick worms -

<http://nick.brown.free.fr/blog/2007/10/memory-stick-worms>

* TR08-004 Disabling Autorun -

<http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx>

* How to Enable or Disable Automatically Running CD-ROMs -

<http://support.microsoft.com/kb/155217>

* NoDriveTypeAutoRun -

<http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx>

* Autorun.inf Entries -

<http://msdn.microsoft.com/en-us/library/bb776823(VS.85).aspx>

* W32.Downadup -

<http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99>

* MS08-067 Worm, Downadup/Conflicker -

<http://www.f-secure.com/weblog/archives/00001576.html>

* Social Engineering Autoplay and Windows 7 -

<http://www.f-secure.com/weblog/archives/00001586.html>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>

____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with “TA09-020A Feedback VU#889747″ in the subject.

____________________________________________________________________

For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

____________________________________________________________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>

____________________________________________________________________

Revision History

January 20, 2009: Initial release

================================================