The kind that puts banks your size out of business.

Is there anything you can do other than worry? Isn’t this stuff so complicated only grad students in computer science can understand it? People say that nothing is truly secure—isn’t that true?

You can do something about it, because hackers have adopted a relatively uniform mass-production approach to attacking computers. And yes, you can understand it.

How Malware Works

Hackers don’t pick your name out of a hat and then decide to attack you; that’s so 1999. Their desire to make a profit has driven them to use highly efficient and highly effective techniques designed to maximize the number of breached systems rather than maximizing their ability to breach a specific target. Their chosen approach is actually quite clever. Here’s how it rolls out:

1. A hacker penetrates a legitimate web site and modifies it so that a visiting web browser also pulls data from the hacker’s web site. The Google Anti-Malware Team recently found 3 million such URLs in a survey of Google’s stored copies of web sites.
2. A normal person visits one of these infected web sites, causing the web browser to also make a request to the hacker’s web site. The hacker’s web site determines which operating system and which browser the innocent web surfer is using, then sends back a series of specially crafted HTML, PDF or other file types that contain exploit data for commonly found missing patches. An exploit is typically a pattern in the returned data that causes the targeted software to misbehave in some way due to a bug introduced accidentally by the program’s author when he wrote it. The exploits are specifically aimed at the user’s operating system and browser in order to maximize the likelihood of a breach.
3. If the user’s computer is running some amount of unpatched software, and if at least one of the attacker’s chosen exploits matches up exactly with one of the user’s missing patches, then the hacker’s malicious pattern of data causes the user’s buggy program to actually execute software the hacker himself wrote and included as part of the malicious data pattern.
4. Typically the first thing the hacker’s software does is to issue more requests to hacker web sites, downloading and installing more malicious software.  It is rare to be infected by a single virus; malware usually arrives more as a malicious throng than a single stealthy intruder.
5. Once the hacker’s programs are installed on the user’s computer, his software runs and begins to carry out his wishes. Sometimes this means sending Spam e-mail messages to millions of people.  Other times it may mean spraying a specific web site with huge amounts of bogus web requests, a so-called Denial of Service attack. But the scenario that terrifies us is the one where the software on the infected machine makes a network connection to one of the hacker’s servers that doesn’t download software, but instead stays connected. The purpose of this long-term connection is instead to provide two-way communication. This gives the hacker a direct path from his server on the outside right through your firewall, a so-called backdoor into the heart of your company’s computer network.

Once inside, the hacker can do whatever he’d be able to do if he had free reign of your office. He can search through computer files, he can listen for passwords, he can record information displayed on customer account screens. He can also probe other machines on your network looking for more unpatched systems. Note that this is no longer an impersonal piece of automation running; now you have a real, live hacker rummaging through your data looking for something he can sell. And if it was that easy to get inside in the first place, it’s usually even easier to get access to the machines that contain all your customer data and ship it off to Russia. Or China. Or Cleveland.

According to the Verizon 2010 Data Breach Investigations Report, the U. S. Secret Service reports that, although insider attacks are up 26% over last year, 96.5% of all stolen customer records occurred through external attacks. 95% of those external attacks were attributable to malware, the kind we just described. 80% involved malware that was explicitly designed to provide remote access to the hacker, the kind that lets him steal all your customer data.

Traditional Defenses

Most anti-malware strategies involve trying to stop it from infecting you in the first place. Reputation-based browser features compare the link you clicked on against a database of sites that have been reported to contain malware, popping up a warning if it finds a match. So-called UTM (Unified Threat Management) appliances or next-generation firewalls look inside the web browser data stream searching for data patterns that look like exploits, or they examine the entire returned web page, making sure it adheres strictly to the HTML standard. Sometimes they even can figure out what web application you are running, tailoring their activities to the specific site or function.

The best known defense, though, is anti-virus. A few years ago, the leading anti-virus systems would catch 99% or more of all malicious software.  Today, the best anti-virus systems detect and block perhaps half of all infections, but if an infected web site launches twelve exploits at you, and if, say, four of them match up with patches you are missing, then you’d still have a probability of 1 – 0.5⁴ = 94% of being infected because of that one click.

It may not be the best known, but the most effective defense against malware in common use today is simple. Keep your systems patched! This has gotten much easier since Microsoft introduced Automatic Updates ten years ago. Unfortunately, the summer of 2009 saw Adobe break Microsoft’s long run as King of Vulnerable Software. Even more unfortunately, Adobe and the other commonly attacked desktop software vendors have not come close to matching the effectiveness of Microsoft’s efforts to provide patching tools (Automatic Updates and WSUS) and patch scanning tools (MBSA). See my article Keeping Windows Patched for more on this topic.

A Simplified Firewall Architecture for Combating Malware

It is certainly painful to have to deal with an infected machine. In most environments, the machine must be reformatted and reinstalled by hand, a job which can take anywhere from half a day by an experienced IT professional to as long as two days if a lot of software installation and reconfiguration must be performed. Using a disk imaging system can bring that time down to 20 minutes, but such a solution has its own costs. But the cost of recovering an infected machine never exceeds a thousand dollars or so. The real cost is in the risk of breach. That is where we should be putting our effort—making it as difficult as possible for an infected machine to establish a backdoor connection.

The funny thing is, this is the part that isn’t all that hard. The last few years have seen an explosion in the growth of cloud-based security products, especially filtering web proxies. A web proxy is a special server that acts as a mediator between a web browser and a web site. The addition of filtering capabilities, including all those features listed above for advanced firewalls, makes this a very attractive service. But we at Lithik Systems believe that the greatest benefit of such a service comes from what it allows you to do to your firewall configuration.

The reason the hacker’s malware can build that backdoor connection so easily is that nearly everyone has their firewall configured to allow outbound web browser connections to an unlimited number of destinations. If the firewall allowed web browsers to only go to a short list of places, the backdoor could never be set up. Many if not most corporate firewalls are configured to allow e-mail traffic only to a short list of e-mail servers. The same is true of many other services. If all Internet traffic originating from behind the firewall was only allowed to go to a fixed list of destinations, no backdoors could ever exist. This is easy except for web traffic, and if a web proxy service is used, web traffic can be controlled in exactly the same way.

You may say, though, that a backdoor can indeed exist. Even though it would be tricky, even though the malware would have to somehow figure out that you were using a web proxy, and even though it would have to figure out where it was and how to authenticate with it, the malware could go through the web proxy. That’s why it’s important that you choose a service that has a really good filter. That’s also why you probably shouldn’t simply install a cheap, non-authenticating web proxy server just outside your firewall. Future-proof your solution now.

But wait, there’s more.

Utilizing the above approach can eliminate (or nearly eliminate) the likelihood of an outsider stealing your data. But once your firewall is configured with no unlimited destinations in any rules at all, you have a new option in front of you. If the firewall is then set up to trigger an alarm whenever any kind of traffic is blocked trying to go to an unauthorized destination, you have an IDS (Intrusion Detection System) that can almost perfectly detect external breaches. An alarm means that the offending machine is infected. Now, it could also mean that someone just misconfigured some application, or someone just installed a program that didn’t know about the web proxy and tried to auto-update itself, but those situations will only happen when you should expect them, and the cause should be obvious. But if your firewall sends you a text on your cell phone when no IT people are making any changes, you almost certainly have an infected machine.

Cost-Benefit Analysis

Costs:

• $5 per month per desktop computer for a top quality web filtering service
• $50 per desktop for a permanent license to a good remote disk imaging system so you are never motivated to avoid reinstalling an infected machine
• Time and effort to configure the new setup

Benefits:

• A good filtering proxy will substantially reduce the number of infections you incur
• No fancy firewall features are required
• Infected machines can be cleaned in about 20 minutes
• Infected machines are brought to your attention immediately
• Patch management becomes easy (this is a side benefit of using a disk imaging system)
• A breach involving information theft is nearly impossible

Take Action

The above approach can dramatically reduce your risk of a serious breach.  The cost is moderate, and the side benefits are attractive. Do not put this off; talk about it with your IT staff and with your senior management, then make a decision. Choose wisely.

Click here for the slides.

AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted. The main purpose of AutoRun is to provide helpful actions and capabilities when removable media or network shares are mounted. When such a device is mounted, the autorun.inf file from the media is parsed. This file specifies which commands the system should run. Many companies use this functionality to automatically start up their installers when a CD-ROM is inserted, but attackers can also use it to run data extraction sessions or automatic installations of malware.

AutoRun and AutoPlay can be friendly features, but they are almost never necessary in an enterprise environment.  The security risk typically far outweighs any benefit.

All AutoRun/AutoPlay features are controlled by values stored in the Windows registry. There are a number of ways to set these values, including

• Group Policy
• Double-clicking a .REG file containing registry settings

Disabling AutoRun Using Group Policy

If you think that Windows Group Policy would be the most convenient and thorough way to distribute such a policy, you’d be partly right. The only gotcha is that a number of people report that it doesn’t always get every machine. I’d recommend both belt and suspenders—use a GPO to catch future machines, but set each existing machine by hand to make sure none fall through the cracks today.

Before configuring Group Policy, you must ensure that one of the following updates has been applied to each of the machines you intend to configure. Note that only one update applies to each machine.

• Update for Windows Server 2003 for Itanium-based Systems (KB967715)
• Update for Windows Server 2003 x64 Edition (KB967715)
• Update for Windows Server 2003 (KB967715)
• Update for Windows XP x64 Edition (KB967715)
• Update for Windows 2000 (KB967715)
• Windows Vista-based and Windows Server 2008-based systems must have update 950582 (Security bulletin MS08-038) installed to take advantage of the registry key settings that disable AutoRun.

This update will create a new registry entry, HonorAutorunSetting. Without the update, autorun.inf gets read even with AutoRun disabled, but simply does not execute any AutoPlay commands inside. This still allows attacks to be made using autorun.inf, and HonorAutorunSetting should be set to 1 to disable this. The default is 1 after the patch is applied.

To disable all AutoRun features in Windows Server 2003, Windows XP Professional and Windows 2000,

• Click Start, click Run, type gpmc.msc in the Open box, and then click OK. If you don’t yet have GPMC installed, do so first.
• Choose an appropriate Group Policy Object in the left pane (or create a new one and attach it in the appropriate place), right-click it, and select Edit.
• Under Computer Configuration, expand Administrative Templates, and then click System.
• In the Settings pane, right-click Turn off Autoplay, and then click Properties. Note: In Windows 2000, the policy setting is named Disable Autoplay.
• Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
• Click OK to close the Turn off Autoplay Properties dialog box.

Windows will propagate the group policy settings to all machines controlled by the edited Group Policy Object. Once the settings have been applied to a computer, it must be rebooted before the changes take effect.

Disabling AutoRun Using a Registry File

Create a file called autorun.reg containing the following lines.  Some of the lines here are long; make sure you don’t break them in the middle somewhere when you cut and paste the text below.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutorunSetting"=dword:00000001
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff

On each computer to be updated, browse to this file and double-click it. The computer must be rebooted for the changes to take effect.