Malicious software helps attackers infiltrate network and system defenses, disrupt business operations, and funnel sensitive data out of corporate and personal computers. Unfortunately, there is no single-step fix to preventing and even detecting infections. Stopping malware requires an approach grounded in awareness and control.
Be attuned to the state of your network and systems
Malicious software, such as bots and spyware, often goes unnoticed for far too long. Well-crafted malware can avoid being detected by antivirus software and intrusion detection systems. The first line of defense against such a formidable foe is to become familiar with the normal state of your IT infrastructure, and monitor it to detect anomalies.
Establishing and maintaining IT infrastructure awareness means committing to the following steps:
- Centrally manage logs from systems and network devices across the enterprise to detect anomalous events. Even an operational incident, such as a surge in CPU load on a server, could have security implications; the increased load could be attributed to malware on that system. Logs can be aggregated without commercial tools via Syslog, which runs natively on Unix and has been ported to Windows. Without a central monitoring point, your perspective on the infrastructure will be severely obstructed.
- Deploy intrusion detection sensors at key points on the network. Host-based sensors on key servers also help. However, maintaining host intrusion detection systems (IDS) tends to be more burdensome than managing network IDS. Even though a traditional IDS may not block infections, it will offer additional visibility into the environment. Snort is widely considered the king of free network IDS tools. For a free multi-platform host IDS, take a look at OSSEC.
- Monitor outbound network traffic to detect infected systems that seek instructions or leak data to their masters. You can tune a network IDS sensor to scrutinize outbound traffic, or employ traditional network monitoring tools for this purpose. (I have had a lot of luck with free Argus Open Project software.) The quicker a compromise is detected, the faster it can be contained. To learn more about detecting unauthorized activities in outbound traffic, see the book Extrusion Detection by Richard Bejtlich.
- Detect unauthorized changes to the state of your systems. Although some malware resides purely in memory of the infected system, many infections leave footprints on the file system or registry. Some host IDS can detect such changes to the system's integrity. Free tools dedicated to accomplishing this include AIDE, cfengine, and the open source version of Tripwire.
Trap malware with honeypots
Honepots combine the best aspects of detective and preventative technologies in the fight against malware. Honeypots are systems specifically deployed to be compromised. While the development of commercial honeypots seems to have lost steam, there is a plethora of innovative and freely available honeypot technologies. When carefully deployed, they can strengthen an enterprise's defensive posture in several ways:
- Slow down an intruder's progress by having him waste time breaking into a system that offers no value to the attacker. For instance, the free LaBrea tool stalls port scans and worm propagation activities by creatively responding to an attacker's network connections.
- Decrease the rate of false positives, which often plagues network IDS. Since a honeypot, by definition, should not participate in production activities, almost any connection to it is an indication of malice. A free tool Honeyd emulates servers, devices, and even networks to increase the span of such monitoring without requiring multiple physical systems.
- Capture malware samples for analysis. Since malware is a part of most modern intrusions, capturing it before it finds its way to a production system assists in incident response. One of the free tools that can assist in this task is Nepenthes, which can capture malicious software propagating over the network. With copies of malicious samples at hand, they can be analyzed to understand their capabilities. (Coincidentally, I teach a SANS Institute course about this.)
- Understand the intruder's intentions by observing his interactions with the compromised environment. This can be accomplished by deploying a series of honeypots to fool the intruder, whether a human or a program, about the authenticity of the targeted system. The bootable Honeywall disk, distributed for free by the Honeynet Project, can help enable this, and includes excellent monitoring tools.
- Determine whether your users visited malicious websites by employing a client-side honeypot that crawls and examines Web pages. Drive-by downloads, which exploit vulnerabilities through the Web browser, are a common infection technique. Consistently blocking this threat vector may be hard, but you can still detect the incident quickly. If your organization has a mechanism, such as a proxy server, that records visited URLs, you can use the free Caffeine Monkey tool from SecureWorks to automatically examine those sites for Web exploits.
The most challenging aspect of using honeypots is deploying them in a manner that prevents an intruder from using them as a launching pad for attacks. If your organization chooses to experiment with honeypots, be sure to implement the safeguards outlined in each tool's documentation. For an overview of honeypots and deployment scenarios, see the book Virtual Honeypots by Niels Provos and Thorsten Holz.
Protect the endpoint from malware threats
Alas, despite information security's best efforts, malicious software may bypass network defenses and reach a system you're trying to protect. Personal computers are particularly vulnerable, because PCs are often used in unpredictable ways and places. Here are the techniques that can help lock down laptops and desktops:
- Employ antimalware tools with behavior-blocking capabilities. Traditional signature-based antivirus techniques are no longer sufficient. Modern security suites from the familiar antivirus vendors can observe local executables for behavior that characterizes malicious software, such as attempting to monitor keystrokes or writing to certain registry locations. This helps detect malware that evades signature detection and block its actions. However, before enabling such tools across the enterprise, be sure to confirm they do not interfere with regular business activities.
- Look out for rootkits. Though far from being a novelty, only recently have rootkits found their way into "mainstream" malware. Rootkits' stealthy capabilities make it particularly difficult to detect an infection. Fortunately, antimalware products are becoming better about detecting rootkit-concealed malware. They do so mostly by identifying inconsistencies in the way different OS components describe the system's state. Free stand-alone rootkit scanners include GMER, Microsoft RootkitRevealer, and Sophos Anti-Rootkit.
- Protect browsing activities to anticipate drive-by downloads and other browser exploitation techniques. Hardening the browser may involve creating a protective sandbox around it with a tool such as Sandboxie (it's free). It also helps to run the browser with fewer privileges; that's where Vista's built-in User Account Control (UAC) and free tools such as DropMyRights can help. Don't forget to disable unnecessary browser features and components; you can exercise fine-grained control over Internet Explorer with the help of Windows Group Policy.
- Keep up with security patches. Information security pros are getting better at keeping up with security updates for Microsoft products, but knowing when and how to patch third-party software, such as Acrobat Reader and Java Runtime, is more challenging. Free tools that detect missing patches for third-party software include F-Secure Health Check and Secunia Software Inspector.
- Lock down the workstation. Last, but not least, is the need to harden the core OS on the endpoint. This involves disabling unnecessary OS components; Group Policy is very helpful for this. It can be used to restrict which applications may run via its Software Restriction Policy feature. A free stand-alone tool that can limit which executables may run is Trust-No-Exe from Beyond Logic.
A comprehensive security program is a must
As your organization considers its antimalware strategy, remember that there is no quick fix to this growing threat. Effective approaches incorporate detective and preventative controls that create multiple defensive layers. There are products, both commercial offerings and free tools, to help you along the way. These tools are only as effective as the overall security program that they are a part of.
About the author:
Lenny Zeltser is the New York security consulting leader at Savvis Inc. He is also a senior faculty member at SANS Institute, where he teaches a course on reverse-engineering malware.
This was first published in March 2008