The Conficker family of malware, the latest in a long and distinguished line of malicious code designed to exploit a vulnerability in the Microsoft Operating System, has been called “evolutionary” for its ability to spread itself among potentially vulnerable hosts and collect valuable data, as well as its ability to avoid detection.
Key aspects of its many talents include:
· Exploit unpatched hosts vulnerable to MS08-067, usually by scanning port 445
· Spread via infected USB devices
· Shut down key security services, such as Windows Update and Antivirus
· Brute force passwords and gain access to network shares and Peer to Peer networks
While Conficker may use these methods to reach new heights of evil, the methods themselves are not new. As with most viruses and worms, the process for escalating privileges, exploiting hosts, and gaining unauthorized access remains much the same: exploit a weakness, stop the services that may prevent the nefarious deed, and then spread the love via email, network shares, peer to peer communications, or removable devices. This type of malware has a definable and traceable behavior pattern, as do most—and being able to track this activity and respond to it does not depend on knowing exactly what flavor of malware you are dealing with, given the visibility into the network a SIEM can provide. While there is certainly value in the more ‘signature-based’ approach that antivirus and IDS software use, especially when it comes time to actually remove the malware and restore the system, behavior patterns can often prove a far more valuable and flexible method of identifying the attack and stopping it in its tracks before you have a thousand systems to restore.
In the case of the TriGeo SIM, the advanced correlation engine is quite capable of identifying these unusual behavior patterns and taking immediate action to stop them. The key advantage that a SIEM has that a point solution such as antivirus or IDS/IPS does not is the ability to “see” across the entire network. Not just at the file level or just the network level, but rather all devices, from all sides. In this manner TriGeo SIM collects evidence of the effects of an attack at all levels—logon failures at the server level, critical process stops at the host level, and excessive or unusual network traffic at the network and firewall level. This visibility allows a SIEM to correlate behaviors that a single solution would be blind to, and thus be less dependent on signature based response and focused on identifying “bad” behavior of any type. More importantly, TriGeo SIM can instantly respond when this behavior is detected and disable the offending machine(s).
When the worm attempts to gain access to privileged accounts, it will try to brute force these passwords—this activity is immediately and easily detectable by simply having the TriGeo Agent on your core servers, such as your Domain Controllers. When TriGeo’s behavior-based rules (over 500 of which are included out of the box) detect a large number of logon failures in a short period of time, especially to “critical” accounts such as your Admin accounts, they will immediately generate security alerts to notify you of this behavior. In addition, if you choose to do so you can configure the TriGeo Rules to take more proactive actions, such as disabling the NIC of the offending machine or shutting it down, effectively quarantining the box until you are able to investigate further.
The same responses can be used in the event that your antivirus does detect the worm, but is unable to clean it (which happens more frequently than we’d like to think, usually because of out of date virus engines). Having an Agent on your antivirus server will allow TriGeo to collect these events and respond accordingly, even when your Antivirus service is unable to do so.
In addition, having the TriGeo Agent on all of your machines, including your workstations, will give the maximum amount of visibility and control, allowing you detect when the worm attempts to stop critical services (such as antivirus or Windows Update). Since this worm specifically takes advantage of a Windows vulnerability, if the machine is unable to obtain the update then the worm can exploit this vulnerability and gain additional privileges. Ensuring that your critical services are running as expected is only a small part of what TriGeo can do—in addition, the SIM can correlate this data with other behavior patterns, such as the unusual user account activity mentioned above, to detect that malware is loose on the network and take action immediately.
For example, TriGeo’s Worm Behavior rules detect a combination of events such as many failed logon attempts, in conjunction with an increased amount of TCP traffic (resulting from the worm’s attempts to spread itself across the network), and the attempts to stop critical services—if this combination of events is detected on a given source machine, it is immediately deemed suspicious, marked as an Incident, and action can be taken. This type of behavior is typical of almost any malware, not just Conficker, which is the real power of the behavior-based rules approach—TriGeo SIM doesn’t have to know it’s Conficker to know it’s bad news and needs to be stopped. Having visibility across the entire network allows the SIM to intelligently compare the data from all of your reporting devices and extrapolate the unusual activity, especially in the case of a virus or worm, which tends to affect so many different devices on your network.
Last but not least, our USB-Defender technology is also capable of detecting the use of USB mass storage devices and can even immediately detach “unauthorized” devices based on properties like serial number, user, the machine, or time of day. In this manner, a USB device could be immediately detached before malware would have a chance to take hold, reducing your risk of exposure. Even in the event that you cannot disallow access to all devices, a USB attach event can be correlated with any of the unusual behavior mentioned above, or an alert from the host’s antivirus, and be immediately removed based on these findings.
In short, though a footprint may not look like a boot, that won’t stop your TriGeo SIM from identifying that someone or something has stepped on your precious network resources and stop them in their tracks. No matter what the name, the behavior is key and so is the response that TriGeo SIM can provide.
For more information on Conficker and its behavior patterns, check out the Conficker Working Group website at: http://www.confickerworkinggroup.org/wiki/pmwiki.php/ENT/Enterprise
Other sites of interest include:
https://www.honeynet.org/node/388 and https://www.honeynet.org/node/389
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Leave a Reply