Page 1 of 5 MALICIOUS WEBSITES Kevin Prince Chief Security Officer Perimeter eSecurity February 2007 Page 2 of 5 In August 2004, Microsoft released Microsoft XP Service Pack 2 (SP2). This marked a significant date in the network security world. The largest software provider in the world had released a version of their operating system (OS) that had built in security turned on by default. The next several weeks and months were interesting as many dependant software applications “broke” when the security features were tightened up. But all things said and done, it was a great milestone in security, and although it was a rough road, it was a long time in coming. Security enhancements included a major revision to the internal firewall which was renamed to Windows Firewall, advanced memory protection that takes advantage of the NX bit that is incorporated into newer processors to stop buffer overflow attacks, and removal of raw socket support (which supposedly limits the damage done by "zombie" machines: infected computers that can be used remotely to launch denial of service attacks). Additionally, security-related improvements were made to e-mail and web browsing. Windows XP Service Pack 2 includes the Windows Security Center, which provides a general overview of security on the system, including the state of anti-virus software, Windows Update, and the new Windows Firewall. Third-party anti-virus and firewall applications can interface with the new Security Center. These modifications to the worlds most popular OS shocked the hackers of the world. No longer would it be very easy to attack and compromise systems. No longer were there more open systems than they had time to compromise. Attackers would scour the Internet looking for open systems, and when found, would quickly close the holes so another attacker couldn’t claim what they had rightfully stolen. Don’t get me wrong, I said no longer was it “very” easy. Now it is just sort-of easy. Much of this is due to computer systems being brought online in other countries where there is a lot of pirated software, and other older OS’s that don’t have security features enabled. There are also a lot of older computer systems right here in the USA that are still using OS’s older than XP SP2. Lastly, even with security turned on, there are other ways of having a system be vulnerable. But because most of the systems or information that had the highest value to Page 3 of 5 hackers had become more secure, they were required to get creative in their attacks. In 2005 we saw the beginning of a movement towards an entirely new type of attack method. Until then, most attackers would compromise a computer system by simply attacking it with known vulnerabilities or “bugs” that could allow the attacker to gain some level of control over the system. These are commonly referred to as “inbound attacks”. With personal firewalls loaded onto many systems, as well as other security features enabled, the “inbound attack” approach became increasingly less profitable. New attack methods started being seen where the attacker would take advantage of vulnerabilities within the Internet browser itself. These vulnerabilities would allow the attacker to download malicious code, Trojan horses, or other applications in the background simply by having the user look at a web page. Some of the new attack methods included luring unsuspecting users to malicious web sites via SPAM, instant messaging, or popular web sites. In one case, an attacker created a Katrina Relief web site. The site was good, giving up-to-date storm watch information, video’s of survivors, even links to real donation sites. This web site was indexed by several search engines and quickly became one of the top links when typing “Katrina” into a search web site. Just by clicking the link, a malware program was installed onto the users PC. Malware programs can do things like: crash your system, keystroke (password) capture, screen shot capture, or give full remote control. What people don’t realize is that the software makes an OUTBOUND connection to the Internet. Because the internal computer is making the request (connection) out to the Internet, it is assumed by the security systems to be “authorized” traffic. The PC’s can make connections back to the attackers systems and they can do just about anything they want. This defeats all the security designed to stop INBOUND attacks. In 2006 we saw many more of these types of attacks. Many new ways of attracting unsuspecting users to malicious web sites increased. One was disguised as a phishing attack. The phishing web site would install malware on Page 4 of 5 the remote computer, even if the users did not enter any personal information. This way they can get you coming and going, as they say. Due to the popularity, and success of these new attack methods, in conjunction with security devices that often only block inbound attack, we believe this trend will continue and even increase in 2007 and beyond. Stopping attacks that utilize malware requires a dedication to a strong security posture that includes a layered security approach. Security solutions that should be considered to reduce malware and potential attacks in your environment are as follows: Intrusion Detection/Prevention: Use and IDS/IPS system to do “deep packet inspection” which will look beyond the header information of the packet and look at the payload, comparing each packet with known hacker attack signatures. Be sure the system is continually updated, fine tuned, and monitored 24x7 to gain the security benefits needed. URL Filtering: Also commonly known as web site, or content filtering. These solutions prevent internal system from accessing unauthorized web sites. All web sites are put into any of 50+ categories, and you decide which types of web sites employees should be allowed to access from the corporate network. SPAM filtering: Be sure that SPAM is being filtered from at least the network level, and then optionally on the desktop as well. Reducing SPAM will keep many end users from clicking on links that could contain malware. Policies: A strong Internet use policy stating what users are allowed to do on the Internet is critical. End users that have the ability to download peer-to-peer (P2P) software, use instant messaging (IM), or install applications are often the first to be burned by attackers. Reduce the applications and access end users have to what is only required for them to perform their duties. Training: Train employees on proper use of the Internet, downloading, etc. Page 5 of 5 PC Restrictions: Most operating systems have the ability to restrict the user so they may not install or download applications. Although this becomes an increased burden on the IT staff, the security benefits are enormous. Gateway AV: Use gateway anti-virus to stop malicious emails from entering your network. Don’t soley rely on the desktop AV to stop all viruses and worms. Vulnerability Scanning: Be sure you are running vulnerability scans on all Internet accessible systems and all critical servers at a minimum to find vulnerabilities. From time to time it is also recommended to run a full network wide vulnerability scan. Patch management: Once vulnerabilities are identified, patch them in a timely basis. The risk mitigation solutions to keep malware off our systems exists today, but far too few utilize enough of them to get proper protection. Through a combination of good end users training, policies, and technology, security risks can be reduced as network security risks continue to evolve. By Kevin Prince, Chief Security Officer Perimeter eSecurity www.perimeterusa.com (800) 234-2175 Founded in 1997, Perimeter eSecurity, is the only provider of complete eSecurity on demand, which offers network security “in the cloud,” or directly to the network, for more than 4,000 growing companies nationwide. Headquartered in Milford, CT with seven geographically-distributed operations centers and three redundant data centers, the company is among the fastest growing network security providers. Its website, www.perimeterusa.com, offers a wealth of network security services and webinars that are available to businesses on demand.