Bravotech Security Incident Response (SIR) Case Study #1

NOTICE: This is a case study, based on real life correspondence from an actual client incident. All personal/company identities and other sensitive information such as domain names and external addresses had been censored to protect the innocent.

See also: Screen capture images with annotations during repair session (in a separate window for side-by-side viewing).

Some quick statistics on Monday 2/20/06:
From 8:29:27 to 11:53:26, there were 2,658 page requests from your station. This is after filtering out all graphic elements (transparent tracking beacon .GIF, banners, & buttons, etc.) Otherwise, total request is over 10,000! Virtually all of them were from background traffic, not your own explicit actions. There are established and scientific signatures to determine which is which.

From a forensics point of view, based on my professional opinions and experience, these statistics alone are sufficient to derive that the visited sites are extremely aggressive & deceptive & likely malicious. They employ every feasible technical means, along with deception tactics and scams, to assault you electronically. Many of them are clearly illegal and prosecutable behaviors (given resources and determination).

A quick analysis of the traffic log from the Proxy server at the perimeter of your location confirms that. At times, your traffic was literally 99.5% not yours. I spotted many stretches of over over 100 request by marketing, tracking & spies, before a single URL that you asked for. As a point of benchmark, consider the follow except from my study:

These sites were exposing you to several hundreds of links (within that period) that are dangerous. There are many more known problematic sites during that day, but I only cite these because they were directly leading up to the incident. I ignored all those after the breach because they're the effects, not the causes.

The exact breach occurred between 09:08:39 and 09:13:12, as a direct result of clicking on something Yahoo pushed out to you. I'm 99% sure this was the transaction:
[I've since confirmed the site is a known fraud, laden with fake system error messages]

09:12:41 192.168.0.101 http://rds.yahoo.com/_ylt=A9ibyfIazflD5B4BfftXNyoA;_ylu=
X3oDMTE2bDZodTJyBGNvbG8DZQRsA1dTMQRwb3MDOQRzZWMDc3IEdnRpZANZUzc2Xzgy/SIG=
12h2nhmqa/EXP=1140530842/**http%3a//www.beautyriot.com/HTML/HAIR_Witherspoon_Reese_01.html

Within 1 minute, your system already had multiple compromises and all the newly installed agents launched. Your traffic exploded, to a level that's humanly impossible (click speed). Your host-based Firewall (KPF) was prompting you numerous times as out-bound traffic was caught. That indicates that you had previously reduced KPF to medium mode. My advocacy & policy is to leave it in high mode (deny all unknown). All un-authorized (by me) programs will be categorically denied without you having a chance to permit. In your frantic response, you denied most of them, but accidentally permitted one and created a rule to permanently allow.

9:40 You noticed the toolbar added, and IE was sluggish. The system wasn't acting right. You started performing windows update.

9:56:07 You went to Microsoft Knowledgebase to research on the problem.

10:15 You emailed me for help.

10:23:24 You went to Symantec, and perform an online security scan.

10:23:49 You presumably aborted the scan, or it failed, probably due to your reluctance to proceed with the required Active-X download. You went to Symantec and read the AVcenter bulletins, and basically spent the rest of the time between MS KB and Sym AVcenter. Spy assault went on unabated during this period. Majority of them were blocked by KPF with the exception of ifwza.exe, which was permitted by your rule. KPF averted a full-scale melt down (saturation of your WAN pipe and insider attack against server and other workstations), but the relentless attempts to spawn itself created CPU saturation. That's why you experienced sporadic apparent lock-ups.

10:46 I replied.

11:02 I called. You briefed me on the latest situation. I then remote in to assess the condition, and proceeded to operate in "ambulance mode" (as opposed to hospital). I went to BDL, downloaded Bravo SIR kit. Invoke Bravo KPF Panic3.conf rules for the duration of my session, which stopped all traffic except my remote session. I performed all the pertinent scans and fixes. I restore your KPF rules, and set it back on Deny-all-Unknown mode, removed the accidental permit rule you created.

11:35 SYMP was declared conditionally safe to use, pending further investigation and touch-up on a non-emergency basis. I handed control back to you.

There are strong signs that Yahoo messenger and Yahoo Toolbar were installed prior to the incident. The behavior & traffic pattern leading up to the incident are consistent with that hypothesis. There are tell-tale signs within Windows registry confirming such install. However, at the file system level, all signs of Yahoo had been removed, presumably during your attempt to fix the lock-ups, etc. At the time of incident response, I focused on damage containment & neutralizing remaining threats, so that you could resume work ASAP. No attempts were made to preserve anything for analysis. Note that it is still possible, however, to perform forensic analysis on the hard drive itself to uncover what was uninstalled/deleted, etc. Of course, that wouldn't be warranted.

There are also sure signs that Morpheus file-sharing was installed. I estimate 2 weeks to 3 months ago. Again, I can't pin-point (without further efforts) because all the files have been deleted. Morpheus would make your workstation (and potentially your entire network and server) accessible to the outside world. Yes, I know they're supposed to allow you to specify if, and what you want to share, but there had been numerous published techniques of circumventing such limitations. Be advised: Morpheus is high on the administrators' blacklist at all IT-controlled sites (including your firm) and is banned for good reasons. There're also clear and present legal liabilities to the user and the firm, due to real actions and strong resolve on the part of RIAA.

Also, unrelated to the incident in question, InterActual Player was installed on 2/15/06 and remains so. It's apparently related to some DVD playing from some highly questionable outfits. I intend to remove it manually later, as it's not needed and represents a potential risk to security and stability.

"Network Monitor" was installed, presumably by the spyware on 2/20/06. Fragments still remain but the main functions have been neutralized. Will perform thorough manual removal later.

Morpheus and Yahoo Messenger are definitely explicit, user-initiated, willful installs, not a drive-by install.
Yahoo Toolbar is a sneaky bundled install that Yahoo planted w/ Messenger, behind a hidden dialog box.

Key Takeaway Points:

For all practical intents and purposes, regard Yahoo Toolbar (or any other toolbar) as spyware, pure and simple. I'll be glad to offer additional insights and justifications.
There are no real features/functions provided by web toolbars that cannot be performed in other ways, if you know the proper ways.
Yahoo messenger and AIM, etc. are great tools, but you're only 1 step away from harm pushed out by Yahoo and AOL. A significant portion of their profit is coming from questionable outfits. They have no choice but to act on their behalf. That's why it's important to disable certain features within these programs or use custom stripped down versions, or even Open-Source versions.
All so-call "P2P music sharing programs" must be absolutely avoided at all costs. Peer-to-peer is a misnomer here, started by the linguistic impotent, and followed by the masses. It misses the whole main point and purpose. The proper term, as defined by Sam C. Chan is:

Anonymous Promiscuous Exchange (APE)

Sharing is great, but: Anonymous + Promiscuous = Recipe for Disaster

Why justify that level of risks and engage in APE, when better alternatives exist? In any case, they have no place in the workplace.
Host-based firewall is your friend. Don't tamper with its settings. Accept the limitations and blocking. Network-based firewalls are completely useless against spyware as they are all out-bound initiated traffic tunneling through remote port 80 (a permitted scenario by definition, at the perimeter level). Remember, security is a holistic multi-layer process. There's no silver bullet.
This is yet another example of why it is important to become a "real IT shop" with all users having Limited User Accounts (LUA), instead of administrator rights.
A split-second act in error (click!) can incur multi-hour/day clean-up efforts. Bad guys always win. It's trivial to sabotage, but a daunting task to defend, and sometimes almost impossible to undo damages.

From:	Sam Chan
Sent:	Friday, February 24, 2006 11:09 AM
To:	All
Subject:	Monday 2/20 Security Incident Report & Analysis

Type of Sites Visited	Background Traffic Ratio	Remarks
Any of 21 Bravo-operated sites	1%	What you click is what you get.
Typical government sites	2%	Tracking, legitimate house-keeping items.
Typical major Not-for-profit sites	5%	Basic tracking and informational items.
Corporations: IBM, EMC, Airlines, etc.	15%	Basic tracking & promotions.
Typical stores: Amazon, Walmart, etc.	25%	Tracking, cross-promotion.
Major portal sites: MSN, Yahoo, AOL, etc.	25% - 50%	Massive 3rd party ads, with high percentage of known illegal and malicious entitles
Questionable sites - The usual suspects: Pirate music, "free" porn, jokes, celebrity pictures, "free iPod," etc.	50% - 99%	Excluding all proper music sites, and legitimate porn― which are mainstream and respectable businesses, operated by every single major corporation, including Disney and Google!