Security Incident Response (SIR) Case Study #1
NOTICE: This is a case study, based on real life correspondence from an actual client incident. All personal/company identities and other sensitive information such as domain names and external addresses had been censored to protect the innocent.
From: | Sam Chan |
Sent: | Friday, February 24, 2006 11:09 AM |
To: | All |
Subject: | Monday 2/20 Security Incident Report & Analysis |
Please read important summary & key takeaway points at the end.
See also: Screen capture images with annotations during repair session (in a separate window for side-by-side viewing).
Web Proxy Server Log Analysis
Some quick statistics on Monday 2/20/06:
From
8:29:27 to
11:53:26, there were 2,658 page requests from
your station. This is after filtering out all graphic
elements (transparent tracking beacon .GIF, banners,
& buttons, etc.) Otherwise, total request is over 10,000! Virtually all of them were
from background traffic, not your own explicit actions. There are
established and scientific signatures to determine which is which.
From a forensics point
of view, based on my professional opinions and experience, these statistics alone
are sufficient to derive that the visited sites are extremely aggressive & deceptive
& likely malicious. They employ every feasible technical means, along with deception
tactics and scams, to assault you
electronically. Many of them are clearly illegal and prosecutable behaviors
(given resources and determination).
A quick analysis of the traffic log from
the Proxy server at
the perimeter of your location confirms that. At times, your traffic was literally 99.5% not
yours. I spotted many stretches of over over 100 request by marketing,
tracking & spies, before a single URL that you asked for. As a point of
benchmark, consider the follow except from my study:
Type of Sites Visited | Background Traffic Ratio | Remarks |
Any of 21 Bravo-operated sites | 1% | What you click is what you get. |
Typical government sites | 2% | Tracking, legitimate house-keeping items. |
Typical major Not-for-profit sites | 5% | Basic tracking and informational items. |
Corporations: IBM, EMC, Airlines, etc. | 15% | Basic tracking & promotions. |
Typical stores: Amazon, Walmart, etc. | 25% | Tracking, cross-promotion. |
Major portal sites: MSN, Yahoo, AOL, etc. | 25% - 50% | Massive 3rd party ads, with high percentage of known illegal and malicious entitles |
Questionable sites - The usual suspects: Pirate music, "free" porn, jokes, celebrity pictures, "free iPod," etc. | 50% - 99% | Excluding all proper music sites, and legitimate porn― which are mainstream and respectable businesses, operated by every single major corporation, including Disney and Google! |
The trouble spots are clustering around these specific problematic sites:
These
sites were exposing you to several hundreds of links (within that period) that are dangerous. There are many more known problematic sites
during that day,
but I only cite these because they were directly leading up to the
incident. I ignored all those after the breach because they're the effects, not the
causes.
The exact breach occurred between 09:08:39 and 09:13:12, as a
direct result of clicking on something Yahoo pushed out to you. I'm 99% sure
this was the transaction:
[I've since confirmed the site is a
known fraud, laden with fake system error messages]
09:12:41 192.168.0.101
http://rds.yahoo.com/_ylt=A9ibyfIazflD5B4BfftXNyoA;_ylu=
X3oDMTE2bDZodTJyBGNvbG8DZQRsA1dTMQRwb3MDOQRzZWMDc3IEdnRpZANZUzc2Xzgy/SIG=
12h2nhmqa/EXP=1140530842/**http%3a//www.beautyriot.com/HTML/HAIR_Witherspoon_Reese_01.html
Within 1 minute, your system already
had multiple compromises and all the newly installed agents launched. Your traffic exploded, to
a level that's humanly
impossible (click speed). Your host-based Firewall (KPF) was prompting you numerous times
as out-bound traffic was caught. That indicates that you had
previously reduced KPF to medium mode. My advocacy & policy
is to leave it in high mode (deny all unknown). All un-authorized (by me)
programs will be categorically denied without you having a chance to permit.
In your frantic response, you denied most of them, but accidentally
permitted one and created a rule to permanently allow.
9:40 You
noticed the toolbar added, and IE was sluggish. The system wasn't
acting right. You started performing windows update.
9:56:07 You
went to Microsoft Knowledgebase to research on the problem.
10:15 You
emailed me for help.
10:23:24 You went to Symantec, and perform an
online security scan.
10:23:49 You presumably aborted the scan, or it
failed, probably due to your reluctance to proceed with the required Active-X
download. You went to Symantec and read the AVcenter bulletins, and basically spent
the rest of the time between MS KB and Sym AVcenter. Spy assault
went on unabated during this period. Majority of them were blocked by KPF with
the exception of ifwza.exe, which was permitted by your rule. KPF averted a
full-scale melt down (saturation of your WAN pipe and insider attack against
server and other workstations), but the relentless attempts to
spawn itself created CPU saturation. That's why you experienced sporadic
apparent lock-ups.
10:46 I replied.
11:02 I called.
You briefed me on the latest situation. I then remote in
to assess the condition, and proceeded to operate in "ambulance
mode" (as opposed to hospital). I went to BDL,
downloaded Bravo SIR kit. Invoke Bravo KPF Panic3.conf rules for the duration of
my session, which stopped all traffic except my remote session. I performed all
the pertinent scans and fixes. I restore your
KPF rules, and set it back on Deny-all-Unknown mode,
removed the accidental permit rule you created.
11:35 SYMP was declared conditionally safe to use, pending further
investigation and touch-up on a non-emergency basis. I handed control back to you.
Additional Notes
There are strong signs that Yahoo messenger and Yahoo Toolbar were installed
prior to the incident. The behavior & traffic pattern leading up to the incident
are consistent with that hypothesis. There are tell-tale signs within Windows
registry confirming such install. However, at the file system level, all signs of Yahoo
had been removed, presumably during your attempt to fix the lock-ups, etc. At the
time of incident response, I focused on damage containment & neutralizing
remaining threats, so that you could resume work ASAP. No attempts were made to
preserve anything for analysis. Note that it is still possible, however, to perform
forensic analysis on the hard drive itself to uncover what was
uninstalled/deleted, etc. Of course, that wouldn't be warranted.
There are
also sure signs that Morpheus file-sharing was installed. I estimate
2 weeks to 3 months ago. Again, I can't pin-point (without further efforts) because
all the files have been deleted. Morpheus would make your workstation (and
potentially your entire network and server) accessible to the outside world.
Yes, I know they're supposed to allow you to specify if, and what you want to share, but
there had been numerous published techniques of circumventing such limitations.
Be advised: Morpheus is high on the administrators' blacklist at all IT-controlled sites
(including your firm) and is
banned for good reasons. There're also clear and present legal liabilities to
the user and the firm, due to real actions and strong resolve on the part of
RIAA.
Also, unrelated to the incident in question, InterActual Player
was
installed on 2/15/06 and remains so. It's apparently related to some DVD playing from some
highly questionable outfits. I intend to remove it
manually later, as it's not needed and represents a potential risk to security and
stability.
"Network Monitor" was installed, presumably by the spyware
on 2/20/06. Fragments still remain but the main functions have been neutralized.
Will perform thorough manual removal later.
Morpheus and Yahoo Messenger
are definitely explicit, user-initiated, willful installs, not a drive-by
install.
Yahoo Toolbar is a
sneaky bundled install that Yahoo planted w/ Messenger, behind a hidden dialog
box.
Key Takeaway Points:
|
Copyright @2006 Bravo Technology Center * Bravo:GO * Contact Us |