by October 14, 2006 0 comments



You have firewalls at each and every entry or exit point of your network. You
regularly patch and update antiviruses on all servers as well as nodes of your
network. Your operating systems are patched and updated regularly and you have
good spam filters and antiviruses to check all the incoming and outgoing mails
and attachments. Moreover, you do not allow any foreign machine to enter your
network unless and until it’s scanned thoroughly. Even your password policy is
so strong that no password can be smaller than 8 alphanumeric characters, which
is automatically changed every fourth night. These are reasons enough to lull
you into believing that you are well and truly secure. Aren’t they?

We don’t want to scare you but think of a scenario where there is a worm
for which no antivirus is ready nor is there any antidote for it. Even your
firewall doesn’t recognize its signature, nor does your anti-spam have a
filter for it. How are you going to protect your systems against such kind of a
threat? Now, you must be wondering how can this be possible, Which are these
worms that no security application or device knows about? Welcome to the world
of Zero Day Attacks!

What are ZDE and ZDA?
Irrespective of the brand, type or technology, each and every appliance or
device has some or the other bug which can lead to a compromise in security.
Some of these flaws are known while others are not. Now there are organizations
and individuals who hunt for these security related bugs (also called
vulnerabilities). The nature of work done by these organizations or individuals
could be different. And depending on that, either they will publicly release the
information about the vulnerability and help in the development of a patch for
the exploit or they will release it to the black hat community and help in
creation of an exploit for that.

Whenever the underground community comes to know about the flaw, they will
start creating an exploit for it. The time between the creation of the exploit
and the public availability of the patch for the exploit is called a Zero Day
Exploit or ZDE, and any attack, which happens using such an exploit is called a
Zero Day Attack or ZDA.

Why should I care?
Security is a key concern for everybody. Every organization has made heavy
investments into various security products and solutions to protect their
networks, servers, desktops, and applications against malicious code. Already,
they suffer from heavy financial and productivity losses while taking care of
known attacks. Imagine then what an unknown attack can do? It can be the
nastiest type of attack you have ever seen. The two key factors, which make a
ZDA so dangerous, are its uncertainty and unpredictability. Technically, nothing
is known about a ZDA at the time it happens. Plus, in this case ignorance is not
at all bliss. If you don’t know about something then how you can protect
yourself against that. There might be a worm running in your computer right now
doing all sorts of nasty things and you don’t even know about it because no
antivirus has the signature to identify it.

BED 0.5
This is probably the
easiest fuzzer to use. It is also known as Bruteforce Exploit Detector, as
it does stress testing of network protocols mainly FTP, SMTP, POP, HTTP,
IMAP, LPD, etc. It’s a collection of scripts to automatically test
implementations of different protocols for buffer overflows and/or format
string vulnerabilities, by sending a lot of long strings to a server. It’s
written in Perl and running it is simple. For running it from the command
line, run its Perl file, choose the protocol plug-in according to the
protocol you are going to test and provide host address, and the port. It
will automatically brute force that host for the protocol specified by you
for a while. To use this fuzzer just run the following command:

bed.pl —s -t
-p -o

Plugins are chosen according to the protocol you are
going to stress test. By default, it comes with 11 different protocol
plugins.

And even though all your softare is patched with the latest updates, your
machines remain infected and you could lose data, money, and productivity. The
other problem with ZDA is that even if you know there is a ZDE available, you
can’t be certain as to when you’re going to see a patch for that in future.
It can take anywhere from a few hours to a few months to get a patch for any ZDE.
So, if you are using an application with the ZDE, you can expect a ZDA to happen
at any point of time during this duration.

Let’s take a very recent example. A new vulnerability for MS Word 2000,
running on Windows 2000, was discovered on 2nd September this year. Microsoft
was planning to ship the patch on 12th September, but at the time we were going
to press, there was no patch available for it. So the only way of protecting
yourself from it, which any security company would tell you, is not to open any
unknown documents. Similar to that, there are many other Zero Day Exploits
surrounding us, which can attack at any point of time.

So what to do?
That’s a million dollar question, and we’ll answer that in this story.
Contrary to belief, there are plenty of ways through which you can fight against
ZDAs. And in this article we try to figure out the most common ones. The first
one in our list is called Fuzzing. You might have heard about it, because it’s
been talked about quite a bit in the world of security. Knowing about fuzzing
will also help you understand how ZDEs are discoverd.

See and configure rights on different APIs and files responsible for running any application

Understanding Fuzzing
No matter how great a developer or how securely he may write a code, there has
to be some or the other bug present in the application. According to experts, in
every 1000 lines of code there are on an average, 5 bugs present. And a good
percentage of these bugs can be used for compromising the application. Now there
are two ways of finding these bugs. First, is the traditional way in which some
one sits and hunts for the logical errors in the application by using exception
handlers and checkpoints. This technique becomes tougher when one doesn’t have
access to source code of the application.

In the second, we have fuzzers -software programs or scripts specifically
created to look for errors in any piece of code or application. A fuzzer would
virtually look for every input variable and try every possible combination of
that input, and will try to find unhandled coding errors. Fuzzers are also known
as Fault Injectors because they create and inject faults inside any application.
You can easily download some very effective fuzzers from the Web and that too
for free. These fuzzers can test errors on applications, protocols, files etc
and are used widely to find new vulnerabilities such as Buffer Overflow, DoS,
SQL Injection and XSS.

Now you must be wondering how to use fuzzers for preventing your network and
devices from zero day attacks? Generally, it is assumed that finding
vulnerabilities is the job of hackers or security agencies, or the people who
made the software. Why should you put your precious time and money into it when
you are already paying a hefty amount to the software vendors? This is best
answered in two parts. First of all it will be always better that you get to
know about any vulnerability which exists in your devices or apps before the
hackers know about. And once you find out that vulnerability you can approach
any security agency or the vendor of the product (in which you have detected the
flaw) and ask them to fix it before the exploit becomes public.

PIRANA
This fuzzer is a
penetration testing framework designed to check security of an SMTP
content filter. It checks the filter for various known exploits and
vulnerabilities. It also sends viruses embedded in the e-mail to check
whether the content filter is able to detect it or not.
You can use it by running the following command:

Pirana.pl —e -h
-a -s

Here exploit number is the exploit for which SMTP server
is going to be tested. By default PIRANA knows 5 exploits. However, it
also lets you add your own exploit. Shellcode type specifies what type of
shellcode should be injected if an exploit is detected. For now it comes
with two kinds of shellcodes: TCP connect back; and UDP connect back.

The second and more important case will be when you have some costum made
applications. Let’s say a web based CRM package. In this case you are the
owner of the product and if there is any vulnerability or code flaw in your
application then no security agency will even get to know about the issue. So,
you have to be proactive enough to run such kind of fuzzers on your application,
figure out the flaws and fix them.

Fuzzers are not limited to finding exploits only. One of the fuzzer called
PIRANA is capable of testing how strong your e-mail content filter is. We liked
the fuzzer so much that we plan to include it in our spam filter testing
benchmarks. There are a plenty of fuzzing frameworks available out there which
let you find your own fuzzer for a specific test situation.

Application firewalls
The best way to fight against any kind of unknown attack is to restrict your
application from showing any unwanted behavior. For that all you need is an
application firewall. This is a tool which records any application for normal
behavior and saves them in a profile. Whenever the application does something
abnormal then it either creates an alert or it simply restricts the application
from running. The concept is pretty much similar to SELinux but in case of
AppArmor, an OpenSource application firewall, it’s easier to configure and
manage. In the following sections we also talk about a Windows based application
firewall called SocketShield.

This software provides protection against ZDA worms from malicious websites by continuously monitoring the traffic coming from port 80

1. AppArmor: AppArmor is an OpenSource application firewall and is
currently maintained by Novell. You can get the paperwork related to it from
either http:/ /forge.novell.com/modules/xfmod /project/?apparmor, or you can
compile and install it on top of any Linux distro. But if you want the easiest
way out, get a copy of SLES 10 or OpenSuSE 10. Both distros have AppArmor out of
the box. The benefit you get in this case, is the easy manageability and usage
of the application using SuSE’s well know configurator called YaST. The
complete configuration is wizard driven and the application can be up and
running in a couple of minutes.

For configuration, fire up YaST and select the AppArmor tab from the left
pane. Clicking on this will show you all the wizards available to configure
AppArmor. Now to add and secure any application, all you have to do is click on
the ‘Add Profile’ icon. This will fire up a wizard. Now, browse to the
executable file, which you want to secure.

After selecting the appropriate file, click on the Next button and proceed.
In the next screen the wizard will ask you to run the application for some time.
Run the application that you have just now added, to the profile for a few
minutes and do all the normal tasks associated with it. This activity will help
the wizard record all necessary files and APIs required to run the application.
Once you have done this, click on the Finish button. This completes the task of
securing your application. You can even fine tune the application settings and
add or remove new APIs, files, paths and permissions to the application’s
profile in the the ‘Edit Profile’ option. Whenever any kind of virus or bug
enters the system (be it known or unknown) and tries to modify the settings and
parameters of the application, AppArmor will automatically detect, restrict and
alert you about its activities.

WebApp can protect you from an attacker, pen-testing your website, by providing Form and Cookie validation 

2. Socket Shield: Socket Shield is a utility that protects you against
zero day worms and other malware coming through websites. Yes, you got it right,
it only monitors traffic coming from port 80. It monitors the incoming stream of
traffic for both known and bad IP addresses and exploits. This entire process is
invisible to the user and doesn’t impact system performance. In other words it
protects computers from vulnerabilities by monitoring socket-level traffic for
exploits and closing the socket when an exploit is detected, so that it does not
enter your PC. This provides two levels of protection-Blocking and Shielding.
The former uses a list of IP addresses that are known as providers of exploits,
and all HTTP requests for any page in these domains are simply blocked. While in
the latter, the program is ‘exploit aware’ for all current exploits as well
as for a select list of ‘immediate past’ exploits, by their signatures
and/or other uniquely identifiable components. When Socket Shield inspects a
stream and discovers an exploit within that, it immediately blocks it and also
that website.

Installing and using Socket Shield is very simple. Once it is run it starts
monitoring the system and doesn’t require any configuration from the user. If
you want to customize it, then open its control panel and customize your
installation, and view a list of exploits and malicious websites that have been
blocked. It also gives you news from its vendors’ Exploit Prevention Labs.

Watchguard and ZDA
Watchguard has a huge range of appliances to provide protection against Zero Day. Their Firebox X core and Peak Unified Threat Management appliances all provide ZDA protection from new and unknown attacks without the need of signatures. They use an Intelligent Layered Security architecture, which uses technologies like Protocol Anomaly Detection, Pattern Matching, Behavior Analysis, etc to stop different classes of attacks. 

Socket Shield runs from the system tray and continuously displays its status.
Under Net-work Activity, it shows all open processes running on your computer
that have access to the Internet and the number of information bytes that have
been sent and received.

Similarly, it shows a list of exploits it has prevented under the ‘Exploits
Prevented’ tab and details about websites blocked by it under ‘Malicious
Sites Blocked’ tab. As far as performance of the software goes, it managed to
block access to all the malicious websites that we tried to access from the
system.

Web server protection
Remember famous worms like Code Red and Nimda, that attacked Web servers and
caused plenty of damage? As network security is becoming harder to penetrate
because of firewalls, IDS devices, and secure gateways, hackers have turned to
Web applications. WebApp.secure is a software for Web server hardening and Web
application security. You can download it from www.websecurity.com/pe.htm. It
uses intelligent web/insite technology (as it is called by its vendor) to
recognize and enforce a website’s intended use guidelines (how a Web server
and the applications it runs, are meant to be used). All activity that does not
meet its Intended Use Guidelines, is automatically blocked and reported. 

Prevx1 continuously monitors system and application behavior. When it finds suspicious activity it immediately alerts the user and its community database

Thus, it provides protection against zero day worms. Whenever a worm tries to
exploit a vulnerability it will detect some change on the Web server and
automatically block it. Other than zero day it also provides protection against
SQL Injection attacks, URL parameter tampering, forceful browsing, cross-site
scripting attacks, buffer overrun attacks and also protection against website
defacement.

It also allows you to run multiple instances of the software to protect
multiple IP-based virtual websites on the same server. You can run each instance
separately with its own configuration. You can configure WebaApp easily in five
steps. First of all it asks for the basic Web server configuration and then for
entry points. These points are one or more URLs that are accessible without
restriction from outside. Its web/insite feature automatically starts
identifying the Intended Use guidelines. Next you need to define policies for
directories, logs alerts notifications, etc when an attack occurs. The software
does plenty of logging to provide an option for activity audit trails. Other
than regular system logs, HTTP header logs, it also keeps a log of w3c standard
fields. Next, you need to define performance tuning for the Web server and SSL
properties. It also lets you do Form and Cookie validation. Once you have
completed all these steps the software is ready to protect your Web server.

Prevx1


Prevx1
Prevx1 is an anti-malware software. It can run along with your anti-virus,
firewall etc. It can also stop new zero-day malwares from coming into your
systems through constant system and application behavior monitoring and also
protects you against all known malwares. To effectively protect your system it
constantly requires Internet access.

Microsoft HoneyMonkey
Strider HoneyMonkey is a project from Microsoft to detect and analyze websites hosting malicious code. Their intent is to stop attacks that use web servers to exploit unpatched browser vulnerabilities and install malware on the PCs of users. The project is taken from the popular honeypots, and according to them HoneyMonkey is a computer or a virtual PC that actively copies the actions of a user surfing the web. A series of ‘monkey programs,’ which drive a browser in a manner similar to that of a human user, run on virtual machines in order to detect exploit sites. The browsers can be fully or partially updated in order to look for exploit sites that target specific vulnerabilities. For further details you can visit their homepage at
http://research.microsoft.com/honeymonkey
 

When Prevx1 is run for the first time, it carries out a once-only scan to
identify all executable files on the computer. After these files have been
cataloged, it verifies them against its online community database. After that
Prevx1 continuously monitors system behavior to detect malwares. If it finds a
suspicious application behavior, it anonymously reports it back to its Prevx1
community database which then monitors this feed in real time, constantly
assessing and re-assessing an application’s behavior. If it finds this behavior
to be malicious, it will block the application and add it to its database, thus
protecting you against zero day attacks.

The Prevx1 community database has records of known good and bad programs.
After it has blocked a known program, it shows a message box where you can get
online details about the files it blocked. When it blocks a program it puts it
into Prevx1 jail. This jail is essentially a repository for malware it has
detected where it divides them into various categories.

Prevx1 for business lets you manage and control security issues throughout
the organization using a Web based security console. This console lets you see
where Prevx1 is installed and the whole status of the nodes on which it is
installed.

It will also keep you informed about any attacks on your PCs. The console
also provides configuration options allowing you to control Prevx1 centrally. It
also lets you do an unattended silent remote installation of Prevx1 on your
clients. Plus, you can choose whether it runs silently or with minimal
visibility to the user.

Symantec Critical System Protection
With SCSP policies you can control
behavior of applications running at the client end and immediately
block it if any attack takes place

Symantec Critical System Protection (SCSP) provides zero
day attack protection through policy-based behavior control and detection
for both servers and desktops. It continuously monitors and controls
application behavior, blocks port traffic, and provides host-based
intrusion prevention and detection, and also controls how processes and
users access resources. It also provides protection against buffer
overflow attacks. An integrated firewall is present, to help you block
inbound and outbound TCP/UDP traffic. You can block traffic per port, per
protocol, per IP address or range, etc. SCSP has three main components:
SCSP server; client agents; and a management console. SCSP agents are
required to be installed on the clients. It lets you customize how agents
communicate with the server. These agents report events to management
console as and when they happen. The centralized management console
enables administrators to configure, deploy and maintain security
policies, manage users and roles, view alerts, and run reports. Symantec
Critical System Protection creates security policies for every normal
program running on the system. It also has a policy editor trough which
you can easily make focused policies. It also comes with a policy library,
which contains sample prevention and detection policies and has rules to
detect specific actions, and take actions accordingly.

To get best results from this software, you need to get
its policies right. In our tests when a worm tried to alter MS Word, it
successfully managed to detect and block the worm immediately. It does
plenty of reporting and comes with 75 predefined queries and reports that
can provide an overall summary of the activities. It does real time
alerting too as it can alert you through email when an event matches the
criteria specified for the alerts. SCSP is a good software and can
effectively protect your clients against ZDA.

Similarly, you can also optimize security policies for particular user and
system functions. By default, it has three modes-ABC, Pro and Expert. In ABC
mode it’s all silent for the user whereas in Pro mode it generates queries for
unknown programs violating certain Prevx1 Protection Settings. In Expert mode,
it generates queries for good and unknown programs violating protection as well
as unknown ones.

In one of our tests, we took a zero day worm and put it in an unpatched WinXP
machine. Prevx1 managed to detect intrusion attempts by the zero day worm, when
it was trying to modify the registry. It gave a pop-up, alerting us about the
attack and also asking whether the application should be allowed to perform its
functions or not. The software was able to detect malicious activity but couldn’t
find out whether it was a worm or not. When run in Expert mode, it started
acting as a firewall as if it were asking queries for each program, whether they
should be allowed to run or not. The application displayed similar kind of
messages even while installing and updating the software.

3Com’s Zero Day Initiative
Zero Day Initiative (ZDI) is a portal by 3Com which pays people who report vulnerabilities to them, not just their own but those of others as well. Here’s how it works, When a researcher discovers a vulnerability, he can log on to the ZDI portal and submit the vulnerability for its valuation from 3Com. At this point he is given a unique submission ID through which he can track that vulnerability. After 3Com has verified the vulnerability, it decides whether to make an offer for it or not. If it makes an offer, the same is informed to the researcher by e-mail. Now if that researcher accepts the offer, the exclusivity of information is assigned to 3Com and the researcher is paid for that. 3Com then informs the affected product vendor about the vulnerability and also distributes protection filters to its customers. Thus, protecting their customers even before the vulnerability is released. Later on 3Com shares in advance, vulnerability details, with other security members before it is disclosed to the public. Once the patch is ready from the affected vendor, 3Com works in collaboration with it to notify the public of the vulnerability through a joint advisory that gives full credit to the original researcher unless the latter wants to remain anonymous. If you want to participate in their initiative or know about upcoming advisories, log on to
www.zerodayinitiative.com.

However, to avoid the pain of allowing every action performed by a legal
application, it lets you define security settings for all actions performed by a
particular application. Overall, this software can be handy in protecting your
nodes from a zero day worm if it manages to sneak in.

While there are various tools available, both commercial as well as free, to
identify and protect your network and hosts against zero day attacks, they’re
not enough. Such tools can only go so far in protecting your network and
systems.

You also need to establish the right set of policies and guidelines on how to
identify zero day attacks and take necessary measures to prevent them from doing
any damage until a patch is discovered for them. As you’re fighting against an
unknown enemy in ZDA, the best form of defense you have is to identify anamolies
on your network.

These could be like a sudden surge in traffic on your network? And if so,
where is it coming from? Is it coming from a host that normally doesn’t
transmit so much traffic? You need to train your team to keep a watch on such
anamolies. Any packet sniffing tool or your intrusion detection system would be
able to give this information. Gartner calls this technique, Network Behavior
Analysis.

The moment such an anamoly is detected, the first step should be to isolate
the cause. If it’s a host, that’s generating too much traffic, remove it
from the network for further analysis. The idea is that even if a patch or fix
is not available, you should be able to at least prevent the infection from
spreading to other machines on the network.

Anindya Roy and Swapnil Arora

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<