 Three Free Tools to Detect and Prevent Spyware at the Network Perimeter
Matthew Jonkman
Security isn't cheap. We all know that. How much
it costs depends on the level of security you need and the level of risk
you and your organization are willing to tolerate.
Security can cost us in many ways -- the latest
and greatest appliance from XYZ Company, Managed IPS/IDS, Web Content
Filter Subscriptions, Log Correlation Products, etc. We can pine for the
good old days when security didn't seem to be such an issue, but if
you think about it, you'll probably find that security has always
been an issue. The threats have just become more varied, and the attackers
more plentiful.
So, what do you do when your budget will allow only
one of the following this year:
1. The 20 bazillion jujigabyte* RAID array that
Accounting needs to upgrade to the newest accounting package (*jujigabytes
are covered in another article).
2. The latest and greatest security device
that'll keep you from having another embarrassing virus outbreak.
There's a good argument for both. On one hand,
addressing Accounting's needs will make sure they continue to look
favorably upon the IT staff, and your people will continue to get paid on
time. But if you hadn't had that virus outbreak you'd not have
lost two days work on IT projects and not lost the confidence of the users
and departments that were infected.
Never fear, there are alternatives. There are a wide
range of commercial devices and subscriptions that can do wonders for your
overall security. You probably know most of them. The dirty little secret
of the security world is that many of these devices and solutions are
either based on an open source project or have an equivalent open source
project. When you purchase one of these commercial devices, you're
usually paying for some tweaks, handholding, and a slick management
interface. If you can afford it, that management interface is well worth
the money. If you can't afford every appliance you need, read on.
There are many great open source projects that you
can safely drop into your network and run. There are also many that are
risky and require a deep understanding and constant feeding and care. Then
there are some that are only for the experts in that particular protocol or
service -- those that can take care of that system full time. You have
to decide which ones you need and what you can afford to invest in the
project. Yes, there is always investment, not necessarily cash to buy
something, but your time to learn, install, and maintain.
The main spyware control techniques I recommend are:
- DNS Blackholing
- User Agent Filtering
- IDS/IPS
In this article, I will cover each of these techniques
and provide example projects, along with some implementation details where
necessary. But the biggest thing to remember is that you must decide which
of these you can handle for the long term. Anyone can follow the directions
to install and configure these and get them running well. But they require
different levels of long-term care and feeding, as does any commercial
system.
Spyware Protections
Spyware packages are like modern day door-to-door
salesmen, except they're not in cheap suits hawking vacuum cleaners.
They're in Armanis selling your information to others and using your
monitor as ad space for anyone who will pay.
And those are just the reputable ones. The bad
guys are in this space as well, and they're doing things like
redirecting you from the Amazon shopping cart to one of their clients when
you buy online, and far worse.
There are two major things we need to do to control
spyware -- stop the installation of new
ones and detect those that already exist on your network.
Stopping the installation can be difficult. The bad
guys are very resourceful, using Internet Explorer exploits, piggybacking on games, and pretending to be spyware cleaners, Internet
accelerators, etc. You likely won't stop all of the installs,
especially if your organization is unwilling to stop using IE for general
browsing. But you can put a serious dent in them.
DNS Blackholing is a process by which you provide bad
replies to DNS lookups for domains you don't want your clients to
access. This is particularly effective with spyware programs, because they
use DNS to load balance your requests among many servers or to allow them
to move around when they are detected. The key is having a good list of
domains that:
1. Covers most of the bad stuff.
2. Doesn't contain
domains to which you DO want to allow access.
3. Doesn't block all ad sites (legitimate ads
make the Internet go round).
4. Easily updatable.
5. Will be maintained for the long term.
There are many block lists on the Internet. A couple
that I recommend are BlueTack (http://www.bluetack.co.uk) and the DNSBH Project at Bleeding Snort (http://www.bleedingsnort.com). I'll go into
detail on the latter.
The DNSBH Project at Bleeding Snort is interesting
because of the hard work David Glosser and his volunteers put into the
list. Glosser monitors many other lists and information sources, which
results in a list of domains that are well researched and an aggregate of
the many very good lists out there.
You can find a very detailed concept and project paper
at:
http://www.bleedingsnort.com/staticpages/index.php?page=bhdns
and at:
http://www.bleedingsnort.com/blackhole-dns/files/
The first link covers the specifics of blackholing.
Please go there if you are interested in the extreme details of the topic.
In a nutshell, DNS blackholing tells your DNS server that it is
authoritative for the domains you don't want clients to access and
gives it a fake zone file to serve up. Most folks have that zone file
resolve to 127.0.0.1.
This technique blocks the majority of the new spyware
installs that are called by DNS and also neuters existing infections
because they can no longer report home or download new code.
The goal is to create an environment where all your
internal users go to an internal DNS server that you control. I also
recommend blocking outbound port 53 from all clients except your DNS
servers. This will prevent a misconfiguration from bypassing your DNS controls.
A very interesting twist here is to have your DNS
server resolve all requests in those domains to an internal Web server. You
can then look through those Web logs on a regular basis, making a list of
all the infected hosts on your network and what they're trying to do.
An Apache server with no content in the Web root will do this just fine.
That concept has been taken to the next level in the
Bleeding Snort Spyware Listening Post. This is a project where volunteers
have pointed all the spyware in their networks to our listening servers.
These servers return a blank page with the number 1 to all Web requests,
and the Web logs are sanitized and analyzed by a corps of volunteers. This
results in new IDS signatures for new spyware packages and the discovery of
new domains and companies involved in this practice to add to the DNS
blackhole lists. More information about this project is available at:
http://www.bleedingsnort.com/staticpages/index.php?page=listeningpost
Volunteer analysts are always welcome, and you can
find more information about that at the link provided.
You can do DNS Blackholing with nearly any DNS server.
There are pre-built zone files for Bind and Microsoft DNS servers, as well
as simple scripts to update these automatically.
That's just one form of spyware control. There
are also spyware agents that do not use DNS, but have hard-coded IPs that
they contact and from which they get code and ads. There are ways to track
these suckers, too.
User-Agents are a part of all http connections. A
typical Web request that the client sends out contains not just the URL;
the request reports much more information so the Web server can return the
most appropriate content. For example, this is a request to yahoo.com:
GET / HTTP/1.1
Host: www.yahoo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.7.12)
Gecko/20050915 Firefox/1.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/ \
html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
The lines of most interest here are the User-Agent and
Host. As you can see, this request was made from a Windows XP box, using a
Mozilla-compatible Web browser, specifically Firefox. This is important information. But, what is interesting about
spyware is that most packages use either a completely unique User-Agent or they append themselves into a standard User-Agent
string. This allows us to detect them in yet another way.
Here are sample Web User-Agent lines from common
spyware packages:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;
FunWebProducts; .NET CLR 1.1.4322)
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; sbu-hb-4.7.5-ie)
User-Agent: Mozilla/4.0 (compatible; MSNT 5.0; FunWebProducts;
.NET CLR1.1.4322)
These requests are unique and predictable, and there
are several ways to detect and stop them. We can get them by using Web
proxies that can filter by user agent. Some firewall URI filters can do
this as well. We can also use IDS/IPS signatures to detect and even block
these.
If you are already doing Web content filtering, or
just proxying for speed, you can apply these filters to that server and
block or track these requests. This will stop many new installs and stop
existing installs from reporting home. The most important aspect is to
review those logs and clean the workstations that make Web requests with
known spyware user-agent strings.
The next free tool I'll cover is Snort, which is
a well-known Intrusion Detection package (IDS).
Snort has an incredible number of uses on your network. If you are not
running any form of IDS, you should be. If you are, here are some new
signatures that you can use to detect spyware
and malware. If you're in a mode where you're able to block,
you can instantly stop the spyware while generating an alert to handle the infection.
There is an extensive list of signatures for spyware.
These are designed to alert on user-agent
strings, URLs of known spyware packages, and destination hosts. These are
updated frequently and can be found here:
http://www.bleedingsnort.com/bleeding-malware.rules
If you aren't able to block but are using snort
(an IPS mode), you might consider trying another open source project,
called SnortSam (http://www.snortsam.net). Snortsam, which was
written by Frank Knobbe of Praemunio Security, has plug-ins for nearly
every firewall out there. It takes the hits from Snort and, based on your
definitions, will make the blocks happen, even if all you have is a Cisco
router out front.
The true value of Snortsam is the timing. You define
which signatures result in a block, but you also define how long that block
should be. This requires a good deal of thought on your part but results in
a very valuable service. If you keep the block time down on the signatures
that could result in a false positive now and then, the impact is
minimized. With or without blocking, Snort will tell you where you have
infections. And that's 90% of the battle in fighting this scourge.
Once you know where they are, the majority of
infections are very easy to clean up using the freely available tools and
antivirus packages. As with anything in security, breaches will happen, and
if you're not watching they will cost you dearly. Using the tools and
techniques I've mentioned in this article can help you detect and
prevent many spyware infections.
Matt Jonkman is founder of Bleeding Snort (http://www.bleedingsnort.com). He has been an information security consultant
and engineer in healthcare, telecom, banking, and many other industries. He is currently CTO of Infotex (http://www.infotex.com), a full service information security consultancy.
|