Vulnerability Assessment and Anti Virus

Thursday, June 7, 2007

VULNERABILITY ASSESSMENT

Introduction

Vulnerability assessment (VA) is the process of identifying and quantifying vulnerabilities in a system. The assessment of such vulnerabilities and loopholes is very important because it is very easy for a vulnerable system to get infected and also spread the impact to other systems in its network. It also deals with taking necessary steps to cover up the vulnerabilities and make the system less prone to attacks.

The process of VA here in SOC consists of scanning of t h missing patches, weak or empty passwords, unauthorized shares and other vulnerabilities. A host based intrusion detection system/firewall – BlackICE, helps every system identify he systems through a powerful scanning tool, the ISS Internet Scanner, and detecting systems wit the intrusions and unwanted programs accessing it. This course of action is made centralized for effective and smooth working.

Softwares Used

ISS Scanner

An Internet Scanner minimizes the risk in the network by identifying the security holes, or vulnerabilities, so that we can protect them before an attack occurs.

Internet Scanner can identify many types of networked devices on the network, including desktops, servers, routers/switches, firewalls, security devices and application routers.

Once all of the networked devices are identified, Internet Scanner analyzes the configurations, patch levels, operating systems and installed applications to find vulnerabilities that could be exploited by hackers trying to gain unauthorized access.

Comprehensive Reporting
ISS Scanner is a product of IBM which has features like
Unlimited Asset Identification
Dynamic Check Assignment
Common Policy Editor
Real-time Display

Software Requirements:

Processor

Recommended: 2.4 GHz Dual XEON Processor

Minimum: 1.2 GHz Intel Pentium III

Memory

Recommended: 1 GB

Minimum: 512 MB

Hard disk

315 MB for installation from CD-ROM
345 MB for installation from file

Other requirements:

Free hard disk space: 300 MB
NTFS partition required
Sufficient disk space for session log files

Operating System

The following operating systems are officially supported:

Windows 2000 Professional with SP4
Windows Server 2003 Standard SP1
Windows XP Professional with SP1a

Database

Standard installation:

MSDE is automatically installed if it is not already present.
Microsoft Data Access Components (MDAC) 2.8 is included with the MSDE install.
RAM requirements include:
- 128 MB of RAM (Windows XP)
- 64 MB of RAM (Windows 2000)
- 32 MB of RAM for all other operating systems

BlackICE

BlackICE is a personal firewall with an advanced intrusion detection system to constantly watch an Internet connection for suspicious behavior. BlackICE responds by alerting to trouble and instantly blocking the threat.

The firewall can be made especially useful to detect intrusion over the network through a centralized console such as Site Protector.

Black ICE,

Blocks hacker attacks instantly
Prevents destructive applications like worms and Trojans from ever starting
Reports attempted attacks and identifies intruders
Secures any Internet connection, including dial-up, DSL, or cable modem

Site Protector

Site Protector enables us to effectively manage, monitor and measure the enterprise security.

Internet Security Systems' SiteProtector application provides scalable, centralized security management and data analysis capabilities. SiteProtector simplifies large-scale deployments through cost-efficient, unified command, control and monitoring. Event prioritization and correlation enable real-time attack and misuse tracking.

The SiteProtector interface helps administrators work more efficiently through flexible views built around asset grouping and event aggregation. Powerful filters screen for event exceptions and false alerts. In addition, SiteProtector enables multiple site management via secure remote administration.

Software Requirements

Processor

Recommended: 2.4 GHz Dual XEON Processor

Minimum: 1.2 GHz Intel Pentium III

Memory

Recommended: 1 GB

Minimum: 512 MB

Hard disk

315 MB for installation from CD-ROM
345 MB for installation from file

Other requirements:

Free hard disk space: 300 MB
NTFS partition required
Sufficient disk space for session log files

Operating System

The following operating systems are officially supported:

Windows 2000 Professional with SP4
Windows Server 2003 Standard SP1
Windows XP Professional with SP1a

Database

Standard installation:

MSDE is automatically installed if it is not already present.
Microsoft Data Access Components (MDAC) 2.8 is included with the MSDE install.
RAM requirements include:
- 128 MB of RAM (Windows XP)
- 64 MB of RAM (Windows 2000)
- 32 MB of RAM for all other operating systems

Sensor-only installation:

MSDE is not required.

Third-party Software

Included:

MDAC 2.8
Sun Java 2 Runtime Environment (J2RE), Standard Edition, Version 1.4.x

Dameware

Dameware is a soft ware used to access any system remotely after proper rights are granted. Dameware diminishes the problem of geographical separation of computers and provide us remote control access for any system over the network. Dameware in fact, acts as a Trojan to help access the computers backdoor and clean the viruses.

Apart from Damewere there are many other softwares that may be used to login into machines remotely.

Miscellaneous

MS Office

MSDE (MS Desktop engine)

Working

The ISS Scanner is started on the fixed Scanner systems appointed for each pole. (The scanners are initiated by connecting to them remotely via Dameware.) The scanners consist of a range of domains and a set of rules comprising a policy. The scanning process is done every twice every week.

All the hosts on the network are made to point to the Microsoft WSUS server. This facility pushes all the newly released patches onto every system pointing it. However, there remains many systems unpatched. The ISS scanner holds the responsibility of detecting the unpatched systems. The Operating System patches specified by the corporate policy are checked for their presence in the host machines. The ISS Scanner provides comprehensive reports, but only the required details are extracted. Once the reports are obtained, the vulnerable machines are patched manually.

Another assessment is made for the range of machines accessing any system. A host based intrusion detection system/firewall, BlackICE, maintains a policy for allowing a range of IPs to access it. Any system with an IP address unspecified in the policy is blocked and worked on. This is effectively done using a centralized console - Site Protector. These Assessment details are sent twice every week to the client.

Here is an example of a typical vulnerability in Microsoft Windows Operating System

MS07-029

Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution (935966)

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately

Security Update Replacement: None

Caveats: None

Affected Software:

•	Microsoft Windows 2000 Server Service Pack 4 — Download the update
•	Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 Service Pack 2 — Download the update
•	Microsoft Windows Server 2003 with SP1 for Itanium-based Systems and Microsoft Windows Server 2003 with SP2 for Itanium-based Systems — Download the update
•	Microsoft Windows Server 2003 x64 Edition and Microsoft Windows Server 2003 x64 Edition Service Pack 2 — Download the update

Non-Affected Software:

•	Microsoft Windows 2000 Professional Service Pack 4
•	Microsoft Windows XP Service Pack 2
•	Microsoft Windows XP Professional x64 Edition and Microsoft Windows XP Professional x64 Edition Service Pack 2
•	Windows Vista
•	Windows Vista x64 Edition

Expected Issues/Problems:

> Machines showing offline status

> DNS issues

> Access denied issues

> Inclusion of servers in the list

Job Requirements

> Profound understanding of Network Security

> Familiarity of ISS tools (Scanner, Site Protector)

> Proficient in MS Office applications (MS Excel in particular)

> Scripting (Windows and VB) and SQL

> Good communications skills and common sense

ANTI VIRUS

Introduction

Anti Virus process concerns with providing security to the systems over a network from malware. Malicious Software in a computer can be in the form of computer viruses, worms, Trojan horses, spyware, dishonest adware, and others. Stopping these malware to infect the system and cleaning them in case of infection is the job of any Anti Virus team.

The AV team in GENPACT uses Symantec Antivirus corporate edition installed on every system of the client. Trend Micro provides similar security to the servers. Site Protector helps in identifying viruses with their signatures and a web portal runs a Network Intrusion Detection System to block unauthorized access.

Virus: A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. The original may modify the copies or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or carrying it on a removable medium such as a floppy disk, CD, or USB drive. Additionally, viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer.

Example: win32.Looked.BK

Torjan: A Trojan horse is a file that appears harmless until executed. In contrast to viruses, Trojan horses do not insert their code into other computer files.

Worm: A worm is a virus that can spread itself to other computers without needing to be transferred as part of a host.

Softwares
used

Symantec Anti Virus (SAV)

Installed on every system, Symantec Anti Virus provides end point security to the systems. It also provides a centralized access, Symantec System Center, for remote detecting and cleaning.

Key features are,

Allows advanced, enterprise-wide virus protection and monitoring from a single management console.
Real-time scanning capabilities automatically detect and remove spyware that attempts to run or install on a machine.
Effectively protects from spyware and adware.

For SAV to run smoothly two processes – rtvscan.exe and defwatch.exe are necessary to run in the background. Only in case of some problem these processes do not run and it must be corrected.

Trend Micro

This is a similar Anti Virus more suited for servers. It is taken care by a server team.

Site Protector – Centralized Management

Site Protector enables us to effectively manage, monitor and measure the enterprise security.

14 Signatures are being implemented

Content_Compound_File_Bad_Extension
MSRPC_LSASS_BO
MSRPC_REMOTEACTIVATE_BO
PLUGANDPLAY_BO
SMB_AUTH_FAILED
SMB_NIMDA_WORM
SQL_SSRP_STACKBO
SSL_ANSI_OVERFLOW
WIN_MESSENGERPOPUP_BO
SQL_SSRP_Slammer_Worm
TCP_Probe_Sub7
ANSI_Bit_Srt_Heap_Corruption
Image_WMF_NumObjects_Corrupts
SMB_Guessable_Password

Dameware

Miscellaneous

MS Office
PS tools
Symantec signature tools

Working

The Anti Virus Process uses four major tools

Symantec System Center Console
Site Protector
Trend Micro Updates
The GNO web portal

All the host machines report to a Symantec Server which in turn updates the parent server fixed for each pole. The details of the actions are collected at the SSC. The actions of 'cleaned' or 'quarantined' are left and the 'left alone' actions are collected. The systems having these viruses are identified. There are various methods used to remove these viruses. PStools, Virus cleaners, or ad-hoc methods may be tried. The detected system may be taken control of and the detected file may be deleted.

Old and pending virus definitions are also obtained through SSC. A script is run to push new definitions. The virus alerts for servers are obtained via mails from Trend Micro. These are unattended as the server team caters the Anti Virus facility for servers.

Another network intrusion detection system runs and uploads the detected systems with backdoors or intrusions on a web portal. The portal displays all the systems from all the domains of GE. The systems in GEAM (or GEP) domain are worked upon.

Reports on virus activities and removals are sent to the client everyday.

Here is an example of a virus, its details and the removal methods.

W32.Looked.BK

Discovered: November 28, 2006

Updated: November 29, 2006 9:02:46 AM

Also Known As: W32/Looked-BC [Sophos], W32/Looked-BB [Sophos], W32/Looked-BF [Sophos], W32/Looked-BG [Sophos], W32/HLLP.Philis.cz [Sophos], W32/Looked-BJ [Sophos], W32/Looked-BL [Sophos], W32/Looked-BK [Sophos], W32/Looked-BN [Sophos], PE_LOOKED.RN-O [Trend], W32/HLLP.Philis.ga [McAfee], W32/HLLP.Philis.fv [McAfee], W32/Looked-CF [Sophos], Win32/Looked.FM [Computer Associates], W32/Looked-CJ [Sophos], W32/Viking.GT [Norman], W32/Looked-CM [Sophos], W32/Looked-CP [Sophos], W32/Looked-CS [Sophos], W32/Looked-CU [Sophos], W32/Looked-CV [Sophos], W32/Looked-CX [Sophos]

Type: Worm

Infection Length: From 55,937 bytes to 68,371 bytes

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000

W32.Looked.BK is a network-aware worm that infects executable files in local drives and network shares.

Threat Assessment

Wild Level: Medium
Number of Infections: 50 - 999
Number of Sites: 3 - 9
Geographical Distribution: Medium
Threat Containment: Easy
Removal: Easy

Damage

Damage Level: Medium
Payload: Infects executable files in local drives and network shares.
Compromises Security Settings: Attempts to end security-related applications.

Distribution

Distribution Level: Medium
Target of Infection: Network shares.

When the worm is executed, it copies itself as the following files:

%Windir%\uninstall\rundl132.exe
%Windir%\Logo1_.exe

It then drops the following file:

%Windir%\RichDll.dll - a copy of Downloader

The worm may also create the following files:

%UserProfile%\Local Settings\Temp\$$a5.bat
%UserProfile%\Local Settings\Temp\$$ab.bat

The worm then checks for the presence of the following registry entry and exits if found:

HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW\"auto" = "1"

If the above registry entry does not exist, the worm will create it as an infection marker.

The worm creates the following registry entry so that it runs every time Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"load" = "%Windir%\uninstall\rundl132.exe"

The worm ends the following processes, some of which are security-related:

RavMon.exe
EGHOST.EXE
MAILMON.EXE
KAVPFW.EXE
IPARMOR.EXE
Ravmond.EXE
regsvc.exe
RavMon.exe
mcshield.exe

The worm attempts to stop the following service:

Kingsoft AntiVirus Service

The worm then injects its DLL component, RichDll.dll, into either iexplorer.exe or explorer.exe.

Next, the worm searches for .exe files to infect in all the drives from C to Y.

The worm prepends itself to any .exe files that it locates on the computer. The infected file increases in size by 55,937 to 68,371 bytes in size.

The worm makes a copy of the .exe file that it will infect. The new file is saved with the same name as the original .exe file and uses a double .exe extension, for example:

[ORIGINAL FILE NAME].exe.exe

The viral code is then appended to the original file and saved as the new file. The worm then replaces the original file with the infected version.

It also searches network shares to find executable files. At the same time, it sends ICMP packets with a message "Hello,World".

It periodically sets the volume of speaker to zero, finds a dialog whose window class name is "AVP.AlertDialog", pushes "Allow" or "Skip" button (in Chinese) on the dialog and resets the speaker volume. As a result, security warning messages in Simplified and Traditional Chinese will be ignored automatically and the beep sound will not be heard.

The worm creates the file _desktop.ini in any directory it has searched for executable files in. This file has the hidden and system attributes set and it stores the date the worm was executed.

The worm will not infect .exe files in folders with the following names:

Internet Explorer
ComPlus Applications
NetMeeting
Common Files
Messenger
Movie Maker
MSN Gaming Zone
system
system32
winnt
windows
Recycled
Documents and Settings
System Volume Information
_desktop.ini
Windows NT
\Program Files\
WindowsUpdate
Windows Media Player
Outlook Express
Microsoft Office
InstallShield Installation Information
MSN
Microsoft Frontpage

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.
Delete any values added to the registry

Job Requirements

> Profound understanding of Network Security

> Familiarity of ISS tools (Scanner, Site Protector)

> Proficient in MS Office applications (MS Excel in particular)

> Scripting (Windows and VB) and SQL

> Good communications skills and common sense

AV & VA Study & Suggestions

Network intrusion detection and security concerns for servers can also be handled by the team; this would also facilitate smooth tracing of viruses and taking up of new projects to make the network more secure in cases of transitions, scaling, and other changes. There is found to be an unequal work distribution among the VA and VA teams all the team members are equally capable of either of the tasks. Cross training is a good step towards proper distribution of work. This would also enable merging of AV and VA as one process with the coming up of Sophos.

Sophos would make things easier, however, at the cost of re work, rigorous testing and investment of capital and labor. The trade-of must have already been considered.

Sophos

A new multipurpose suit, Sophos, will soon replace all the existing tools being used for AV and VA. The scanning though would be continued using ISS Scanner. Sophos will be a single product capable of performing all the firewall, spyware and Anti Virus activities, the earlier systems were handling.

The initial testing of Sophos has begun and it is being checked for its behavior under the application of various cleaning tools. This will be followed by rigorous resting in a virtual environment and finally over the GEP network. The first week of August will see Sophos going fully live and taking over the complete working of AV and VA

Sophos Includes

Enterprise Console is a single point from which to deploy, update and report on security policies for both Sophos Anti-Virus and Sophos Client Firewall across thousands of computers.

Sophos Anti-Virus provides virus, spyware, and adware protection, and control of IM, VoIP, P2P and games. It supports Windows, Mac, Linux and many other platforms.

Sophos Client Firewall is centrally managed to stop zero-day threats, and prevents intrusions from hackers.

References:

www.wikipedia.org
www.iss.net
www.microsoft.com
www.symantec.com
www.google.com
www.sophos.com
www.trendmicro.com

posted by xubayr at Thursday, June 07, 2007 | Permalink | 0 comments