4.3. Real-World Example of an Unintentional Threat

Now that we have put the unintentional threat into context, let's look at how an actual exploit can take place. Let's also look at how a NAC solution could prevent this from happening. Since everyone I talk to mentions that their biggest concern with letting outsiders onto their LAN is infection, let's use that example.

There are two main ways in which unintentional malware infection can take place on a LAN:

• Network worms

• Viruses

When talking about malware, many people generically call everything viruses. In reality, there are many different types of malware, such as viruses, worms, Trojans, spyware, and so on. While technically calling all of these things viruses is wrong, it's a fairly common thing to do. Purists may try to correct you from time to time, but it really doesn't matter. That notwithstanding, it is important to realize the difference between the different pieces of malware. Here are three really quick definitions on some of the major pieces of malware that will be important to understand for the purposes of this real-world example:

• Viruses — Malware that spreads by human interaction, such as opening a file

• Worms — Malware that spreads without human interaction

• Trojans — Malware that is installed covertly during the execution of a host file

You'll note that the main difference between these different types of malware is how it is spread. Worms can spread on their own, while viruses require human interaction.

When it comes to stopping malware, the first thing that comes to mind is antivirus software. I don't recall ever talking to a company that didn't have an antivirus solution deployed. The antivirus solution may no longer be running or up to date on the enterprise's systems, but the enterprise did at least initially deploy it.

The kicker is that signature-based antivirus solutions (which use how a piece of malware looks to determine if it is a threat), don't work very well against new threats. If a piece of malware contains the actual and unique text, "BigNate07," as part of its code, then why not look for that text and that will determine if a threat is present. Pretty simple and actually, that's the problem. It's too simple. Change the text in that piece of malware to "BigNoah07," and the threat would go undetected. Literally, that's how it works.

Another issue with signature-based antivirus is that it is reactive instead of proactive. In order for the threat to be detected, it must first be known. To become known, the malware must have already infected enough machines to garner the attention of the antivirus software vendors. That seems like a bit of a Catch-22 — you'll be protected once enough computers have become infected. Figures 4-3 and 4-4 give a graphical representation of how signature-based antivirus works.

Figure 4-3. Signature-based antivirus once a virus has been infecting

Figure 4-4. Signature-based antivirus once updates are installed

So, now you have a basic understanding of the different types of malware threats and how antivirus helps to protect against these threats. Even if antivirus software doesn't catch everything, it still does catch a lot of malicious items. Therefore, it is smart to have it installed, running, and up to date, and it is logical to have a NAC rule to look for it.

The first step in an outsider infecting the corporate LAN is for a machine to become infected. This isn't very hard to do. The machine could get infected by:

• Having received infected files

• Surfing the Internet

• Being on the same network as another infected machine

However the outsider's system became infected, it is infected and contagious. It also is about to connect to your LAN.

For this example, let's say the infected system belongs to a contractor. He's coming onsite to work on a project. Like many contractors, he uses his own laptop. This is an advantage to the contractor (because he will have all of his own tools and files) and good for the enterprise (since it does not have to provide a computer system). The contractor is shown to his guest work area, provided with an Ethernet connection, and given information to get connected to the wireless LAN. He needs this access since he will be working on the same systems as the employees for the company that hired him.

How could the contractor unintentionally infect the LAN? There are at least two ways:

• He can transfer over data that is infected with malware.

• Network worms can automatically and actively try to infect the other systems on the network.

4.3.1. Infecting by Transferring Files

The first manner of unintentional infection is fairly easy to understand. The contractor was working on the project using his system. His system was infected. In working on the project, it was necessary for him to share files with employees who were on the network. He did this by using a shared network resource to place those files. The contractor would transfer the files to the shared location, where the employees could then access them for review, modification, and so on. The files that were transferred happened to be infected. When the employees opened the files, they became infected. It's really that simple, as shown in Figure 4-5.

This method of infection clearly requires human interaction. The contractor transfers the files and the employee opens them. So, can this type of infection really happen? People talk about it, but is there an actual example of how this can occur? Yes, there is! Following is information on an actual Microsoft Word vulnerability that could adversely affect systems as defined in this scenario:

Figure 4-5. Unintentional infection by sharing file

National Cyber-Alert System
Vulnerability Summary CVE-2007-0209
Original release date: 2/13/2007
Last revised: 5/16/2007
Source: US-CERT/NIST


Overview

Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suite
 2004 to 2006, and Office 2004 for Mac allows user-assisted remote
 attackers to execute arbitrary code via a Word file with a
 malformed drawing object, which leads to memory corruption.


Impact

CVSS Severity (version 2.0):
CVSS v2 Base score: 9.3 (High) (AV:N/AC:M/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0
Exploitability Subscore: 8.6

Access Vector: Network exploitable, Victim must voluntarily interact with
attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Provides administrator access, Allows complete confidentiality,
 integrity, and availability violation, Allows unauthorized disclosure of
 information, Allows disruption of service


References to Advisories, Solutions, and Tools

External Source: SECTRACK (disclaimer)

Name: 1017639

Hyperlink: http://www.securitytracker.com/id?1017639


External Source: BID (disclaimer)

Name: 22482

Hyperlink: http://www.securityfocus.com/bid/22482


External Source: MS (disclaimer)

Name: MS07-014

Hyperlink: http://www.microsoft.com/technet/security/Bulletin/MS07-014.mspx



External Source: FRSIRT (disclaimer)

Name: ADV-2007-0583

Hyperlink: http://www.frsirt.com/english/advisories/2007/0583


Vulnerable software and versions

Configuration 1
- Microsoft, Word, 2000
- Microsoft, Word, 2002
- Microsoft, Word, 2003
- Microsoft, Word, 2003 Viewer
- Microsoft, Works Suite, 2004
- Microsoft, Works Suite, 2005
- Microsoft, Works Suite, 2006
- Microsoft, Office, 2000 SP3
- Microsoft, Office, 2003 SP2
- Microsoft, Office, XP SP3
- Microsoft, Office, 2004, Mac

As you can see from this example, the threat is very real. The Impact Type section of this report lists exactly what can happen to systems from this threat. Provides administrator access, Allows complete confidentiality, integrity, and availability violation, Allows unauthorized disclosure of information, and Allows disruption of service are all extremely dangerous risks to the enterprise from this actual exploit.

This information was gathered by visiting The Common Vulnerabilities and Exposures (CVE) web site http://cve.mitre.org and conducting a simple search. This site is funded by the Department of Homeland Security and provides additional information that can be very useful. CVE provides a list of standardized names for vulnerabilities and other information on security exposures to help standardize the names for all publicly known vulnerabilities and security exposures.

In addition to these well-known industry standard sites and services, there are a ton of high-quality sites that contain great information. US-CERT, SANS, and CVE are simply being mentioned because they are respected, noncontro-versial, and commonly used by security professionals. It is certainly a good idea for security professionals to be aware of the latest risks, and using these resources is a great means to do so.

4.3.2. How Files Really Get Transferred

The aforementioned scenario is realistic and happens every day. The thing about it is that it's not the only way people transfer data between different companies. While there are lots of ways to do this, the following are most common:

• E-mail

• USB drives

Many companies I talk to actively scan their e-mail for malware. When I was a director of IT, I had every e-mail and attachment sent in and out of my organization scanned. This caught a ton of malware and actually resulted from us being infected by the ILOVEYOU virus.

The second method is the tricky one: USB drives. If I have a file on my laptop and I'm in a meeting where someone needs that file, a USB drive is an invaluable tool.

While the USB drive is an invaluable tool, it is a considerable security risk. The data on the USB could very well contain malware. If that data is copied over to a corporate laptop, it could infect that laptop and spread throughout the LAN. In doing so, it could bypass any LAN-based NAC, as well as other LAN-based security solutions. Figure 4-6 shows a representation of how this is done.

Figure 4-6. Bypassing security checks with a USB hard drive

This is a quick-and-easy means to bypass a bunch of security solutions that cost a lot of money. It's also a key way that penetration testers and hackers gain access to the corporate LAN.

[autorun]
OPEN=keylogger.exe

4.3.3. Infecting via Worms

The previous example was very realistic and could easily happen. It wasn't fancy, cool, or flashy, but it is important to realize that it could take place. Infection via a network worm, however, now that is cool!

The big difference you'll see between this next example and the previous one is that it will not require the human interaction. The simple act of connecting to the network will wreak the havoc.

For this example, let's say a vendor is the person causing all the issues. To make it less incriminating to people like me, the vendor won't have anything to do with security or technology. He — no, she will be a salesperson who works for a beer-distributing company.

The victim company is full of hard-working people. It's a great, profitable company to work for, and it really takes pride in rewarding its employees. One way in which it wants to reward them is by giving them access to beer while at work. This won't be limited to simply mundane domestic beer; this will include the microbrews and imports. There will even be liquor and wine provided for those who prefer those beverages. All of this alcohol will be regularly stocked in coolers residing in the kitchen area on each floor. In addition, a cart with a cooler full of ice and beer will be pushed through the halls of the office during "Beer O'Clock," which is celebrated every Friday at 5 p.m. To make all of this happen, the company needed to work out a deal with a local vendor to supply all of this beer. Therefore, the company will be inviting various vendors into its office to give their presentations.

During one of the presentations, a saleswoman from one of the local beer-distributing companies needed to connect to the Internet so that she could VPN into her corporate network and download an updated price sheet. The host company offered one of its conference room Ethernet connections to provide this connectivity. The saleswoman connected, downloaded the pricing sheet, and was done in no time. After she left, the customer's network was completely infected, there was tons of downtime, and the company lost lots of money. As a result, they couldn't afford to buy the good microbrews and imports, so they had to stick with plain old domestic beer. To all involved, this was a grave tragedy.

So, we know the saleslady infected the customer's network, and the results were bad. You probably hear about this type of scenario all the time, where an infected system connects to a network and automatically infects other systems. Although you've head about it, how exactly is it done?

First, realize that worms can spread via a number of different means, including the following:

• E-mail

• Instant messaging (IM) applications

• Network connections

E-mail and IM applications are the most common ways this is done. Basically, the worm will automatically send messages to addresses in the victim's address book, and by opening the messages, opening an attachment in the message, or clicking a link in the message, the recipient becomes infected. While the most common, it isn't exactly automatic. Someone on the other end, the recipient, usually must take some action. I'm not saying these types of worms aren't bad. In fact, they can be devastating. I'm just saying that they are not 100 percent automatic.

Think this can't happen? It personally happened to me. About two years ago I received a funny-looking Yahoo! Instant Message from a fellow engineer (we'll call him "Paul," since that is his actual name). Paul and I would IM each other regularly, and I wasn't surprised to get a message from him, although this particular message was a bit out of character for him. As it turns out, Paul had become infected by a worm. In fact, this worm caused him to be locked out of his Yahoo! IM and e-mail accounts! This worm was sent to everyone in his address book, including me and a bunch of other engineers. Needless to say, we still make fun of him about this.

So, what exactly can one of these worms actually do? The answer could be anything! Depending upon the nature of the worm, the actions the recipient takes, and the security posture of their system, literally anything could happen. Keyloggers and rootkits could be installed, files could be deleted, programs could become inoperable, and so on. That's a pretty bad situation.

Want another example? How about IM.GiftCom.All? This worm came out around Christmas a few seasons ago and was spread via IM applications. This particular worm was very nasty. Its actions included the following:

• Installs a rootkit

• Attempts to shut down antivirus

• Logs keystrokes

• Can also install sdbot.worm, which allows for backdoor control

That's about as bad as it gets. Clearly these threats are real and should be taken seriously. This is another reason why more and more companies are attempting to stop their users from using instant messaging applications.

While IM and E-mail worms are dangerous, network worms are sneakier. They don't necessarily need to have a recipient do anything on the other end. The following are some common methods network worms use to spread:

• Via shared folders

• By exploiting vulnerabilities in other systems on the network

Lots of systems have shared folders. If you look on your system, you very likely will have them, too, even if you don't know about it. A common method of protecting shared folders is to password-protect them. Using this method means that another person (or program) must know the password to be able to gain access to the shared folder. Does this stop network worms? Not the smart ones!

There are worms that will use dictionary attacks and brute force to try to guess the username and passwords of the shares. Figure 4-7 shows a brute-force attack, and Figure 4-8 shows how a dictionary attack takes place.

Figure 4-7. Brute-force attack

Figure 4-8. Dictionary attack

The brute-force attack typically takes longer than the dictionary attack, although both are dependent upon the complexity of the password to be successful.

An example of a worm that behaves in this manner is W32.Fujacks!gen. This worm came out in early 2007. In looking at the description of what this particular worm does, you'll see from the following description from Symantec that it performs a dictionary attack:

Discovered: January 9, 2007
Updated: February 13, 2007 1:03:17 PM
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
 Windows NT, Windows Server 2003, Windows XP

When a variant of W32.Fujacks!gen is executed, it performs the following actions:

Infects .asp .htm .html files found on local system.


Adds the following subkeys to the registry:

HKEY LOCAL MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY CURRENT USERSOFTWAREMicrosoftWindowsCurrentVersionRun

Deletes the run subkeys of predetermined security-related software.


Copies itself to network shares using a list of weak passwords.


Copies itself to remote password shares using a dictionary attack
 against weak share passwords.


May infect executables on the local drive.


Copies itself to other locations.

Note: the partition root drive, network share roots drive and %System% are
 used by known variants.


May create [DRIVE LETTER]autorun.inf.


May delete files with the following extensions from the root directory
 local partitions, except C:


.gho
.exe
.scr
.pif
.com


Ends processes based on process names, window names and service names.


Removes local network shares.

The second manner in which a network worm infects is by taking advantage of vulnerabilities that may be present on a system. The worm actively seeks out systems, attempts to exploit them because they have a vulnerability, does its damage, then tries to infect additional systems. Figure 4-9 shows this process.

Figure 4-9. The spread of network worms

A common method that worms use to exploit other systems is by taking advantage of Microsoft system vulnerabilities. As with all software, Microsoft operating systems and programs have "bugs" in them that can allow someone with malicious intent to exploit the machines. When Microsoft finds out about these vulnerabilities, it releases patches that can be applied to systems to fix the problem. These patches are routinely released on "Patch Tuesday," which is the first Tuesday of every month. Companies then analyze the patches, test them, and push them out to their computer systems. Once the patches are installed, the systems are protected against any exploits that attempt to take advantage the vulnerability that the patch has fixed. Figure 4-10 shows the patching timeline.

Let's go back to the example of the beer saleswoman. When she attached her machine to the customer's LAN, she was infected with a network worm. That network worm infected the customer's LAN in the same manner as just described. She didn't intentionally infect the LAN; it actually cost her money when the LAN became infected (the company had to buy cheaper domestic beer instead of the good stuff). This type of infection actually can happen. Let's look at a specific example now.

W32/Sdbot.worm!MS06-040 is a piece of malware that performs exactly in the manner that was just discussed. You may note in the name of the worm that it lists a Microsoft vulnerability, named MS06-040. The reason it uses this in the name is because that is the vulnerability that it uses to exploit its next victim. It exploits the victim in order to gain a level of access to the system. When it is able to do that, it can execute its malicious code. To understand how this worm works, it is important to understand information about MS06-040:

Figure 4-10. Patching timeline

Microsoft Security Bulletin MS06-040
Vulnerability in Server Service Could Allow Remote Code Execution (921883)
Published: August 8, 2006 | Updated: September 12, 2006

Version: 2.0

Summary
Who Should Read this Document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately

Security Update Replacement: None

Caveats: Microsoft Knowledge Base Article 921883 documents the currently
 known issues that customers may experience when they install this
 security update. The article also documents recommended solutions
 for these issues. For more information, see Microsoft Knowledge Base
 Article 921883.

Affected Software:

• Microsoft Windows 2000 Service Pack 4

• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

• Microsoft Windows XP Professional x64 Edition

• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
 Windows Server 2003 with SP1 for Itanium-based Systems -

• Microsoft Windows Server 2003 x64 Edition

 Vulnerability Details

 Buffer Overrun in Server Service Vulnerability - CVE-2006-3439:

There is a remote code execution vulnerability in Server Service that could
 allow an attacker who successfully exploited this vulnerability to take
 complete control of the affected system.

In the reading the details, you should notice a couple of things. First, this vulnerability affects a lot of systems, including Windows XP Service Pack

2. You should also notice that this vulnerability allows for "remote code execution" that "could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system." This means that, by taking advantage of this vulnerability, a hacker (or worm, in this case) could do whatever he, she, or it wants to the system.

So, the saleswoman's machine sought out a victim on the customer's network, found one, then ran an exploit to take advantage of the MS06-040 vulnerability. At that point, the worm could to whatever it wanted. What did W32/Sdbot.worm!MS06-040 want to do?

Per McAfee's assessment of this worm (available at http://vil.nai.com/vil/content/v140440.htm), this worm performs the following tasks.

4.3.3.1. System Changes

The following system changes are made:

• Files added:

  %SYSTEMDIR%javanet.exe ( 180736 bytes )

  
  

• Files replaced:

  %SYSTEMDIR%drivers	cpip.sys
  %SYSTEMDIR%dllcache	cpip.sys

  
  

(This threat detects XP SP2 or newer versions of tcpip.sys and modifies it to allow up to 200 simultaneous connections for its aggressive port scanning.)

4.3.3.2. Registry

The following registry keys are created:

hkey_local machinesoftwaremicrosoftwindowscurrentversion
       runservicesms java for windows xp & nt="javanet.exe"

     hkey_current usersoftwaremicrosoftwindowscurrentversion
       runservicesms java for windows xp & nt="javanet.exe"

     hkey_local machinesystemcurrentcontrolsetcontrollsa
       restrictanonymous="1"

     hkey_local machinesystemcurrentcontrolsetcontrollsa
       lmcompatibilitylevel="1"

     hkey_local machinesystemcontrolset001servicessharedaccessstart
       = "0x00000004" (disable Windows Firewall)hkey_local machine
       systemcurrentcontrolsetservicessharedaccessstart = "0x00000004"
       (disable Windows Firewall)

     hkey_local machinesystemcontrolset001serviceswuauservstart =
       0x00000004 (disable Windows Update)

     hkey_local machinesystemcurrentcontrolsetserviceswuauservstart
       = 0x00000004 (disable Windows Update)

     hkey_current usersoftwaremicrosoftwindowsjavanet="rBot v2a.k.a.
       the next generation (working on winXP SP2)"

     hkey_local machinesoftwaremicrosoftoleenabledcom="78"

     hkey_local machinesoftwaremicrosoftwindows ntcurrentversion
       winlogonuserinit="%SYSTEMDIR%userinit.exe,javanet.exe"

     hkey_local machinesoftwaremicrosoftwindows ntcurrentversion
       winlogonshell="Explorer.exe javanet.exe"

The virus opens a backdoor at TCP port 4915 and tries to connect to an Internet Relay Chat (IRC) server waiting for commands at forum.ednet.es.

The commands that the virus can receive include the following:

• DDoS

• Scan (for vulnerable systems)

• Download/execute remote files

• Start, stop the spread through IM

• Kill processes and threads

• Open a command shell

• Start a SOCKS4 proxy server

• Log keystrokes

It steals login credentials and personal identification number (PIN) information if the following strings are present in the browsed domain name:

• bank

• Bank

• eBay

• e-gold

• iKobo

• PayPal

• StormPay

• WorldPay

• Western Union

It kills services and applications having following strings:

• avast

• Norton

• mcafee

• f-pro

• lockdown

• firewall

• blackice

• avg

• vsmon

• zonea

• spybot

• nod32

• reged

• rav

• nav

• avp

• troja

• viru

• anti

This worm clearly performs a number of tasks that would adversely affect any enterprise. You can see that it will disable Windows updates and disable security software so that the infected systems remain vulnerable to exploitation. It also will steal passwords and open up a communications channel to a remote hacker, who then remotely controls the infected system. When it says "Open a Command Shell," it means that a remote hacker gets a DOS prompt on the victim's system, as shown in Figure 4-11.

All of this happened because a nice saleswoman, who was trying to do her job, connected her infected laptop to her customer's LAN. To state it again, this was unintentional. Nonetheless, it caused a considerable amount of damage.

I hope the previous examples put the unintentional threats into context by providing real-world examples of how these infections take place. Often, people will use these scenarios as a means to justify the need for NAC, while not really understanding how the threats themselves actually take place. Having a clear understanding of how these infections take place enables the appropriate personnel to be able to address the threats.

4.3.4. Does LAN-Based NAC Protect against Infection?

Now, here's the magic question: Would LAN-based NAC have prevented these examples of unintentional infection? The answer is "it depends." I have no doubt that others would say "yes, it sure does!," although the real answer is just that — it depends. It's kind of like asking if a firewall will stop someone from attacking a LAN. It depends on how the firewall is configured. If it is configured properly, then it sure can help. If it's configured incorrectly, it won't. Even then, there are limitations to what it could do.

Figure 4-11. Getting a DOS prompt onto the victim's system

Let's start by looking at what LAN-based NAC could have done to prevent this from happening:

• NAC could have checked to see if the saleswoman's laptop had antivirus software running and up to date, and quarantined or restricted her access if it didn't.

• NAC could have noticed that her device was a guest and put her into a network or VLAN that didn't have access to company systems.

• NAC could have prevented any network connectivity because the system was determined not to be a corporate asset.

In my experience, people usually mention the first point. They want to make sure that antivirus software is up and running before allowing systems onto their LAN. That gives them a warm and fuzzy feeling that the system isn't infected and nothing is wrong with it. That can be a false sense of security. Consider these points:

• The saleswoman's laptop may have been running antivirus software that was running and up to date. Whether or not the antivirus program would detect the worm depends upon whether or not the antivirus vendor knew the worm existed in the first place. In looking at the patching timeline, there is a period of time between when a hacker writes a worm (or virus) and when the antivirus software vendors find out about it and add that specific piece of malware to their virus definitions.

• We've seen that worms can shut off antivirus and other security programs. They can also modify registry settings and add/remove/modify files. There actually is malware out there that will disable antivirus software so that it doesn't provide any protection, then actually modify various settings so that it looks like it actually is running. Sneaky!

• According to AusCERT (the national Computer Emergency Response Team for Australia), 80 percent of new malware will bypass antivirus programs. They also state that this is so because of cybercriminals designing their malware to bypass detection, rather than because of a defective product. Missing eight out of every ten pieces of malware is quite ineffective.

Even if the LAN-based NAC solution checked to see if the saleswoman's laptop had antivirus software running and up to date, she still might have unintentionally infected their LAN.

What if the NAC solution noticed she was a guest and put her on a separate subnet that wasn't connected to company computer systems? That certainly would have helped! If that were the case, she wouldn't have posed any greater threat to the company than anyone else on the Internet (assuming that this was configured correctly).

The same is true for the third point — simply not allowing her any access because she was a guest. If she plugged in her laptop to the Ethernet and wasn't allowed onto the network, she wouldn't have been able to infect any other systems.

A logical question to ask is how would the NAC solution know whether or not the saleswoman was a guest? The LAN-based NAC solution could do this two ways:

• Check for the presence of a NAC client and use a series of criteria to establish whether or not a device is an owned corporate asset. If a client isn't installed, or if it doesn't meet that criteria, it is a guest.

• Use a form of authentication with the NAC solution, such as 802.1x. Even if the user passes the security evaluation, the guest would still need to be authenticated before being given any network access.

If this particular company had either segregated the saleswoman on a separate LAN or not provided her access to begin with, the network wouldn't have become infected. The employees would also be drinking some good Honker's Ale now instead of the cheap stuff that everyone drank in college.

The moral to get from this section is that it is a best practice to segment and restrict guest LAN access. Having guests on a separate network, or enforcing authentication to gain access to the corporate LAN, can stop these types of unintentional threats from taking place.