We all have heard of a "Vulnerability Assessment" or a "Network Security Assessment", but what's about a "Malwares Resistance Assessment”?

Well, it came to my mind this morning while talking to one of my customers about hardening their machines to be more "resistant" to malware infections.

It’s not clear if there is any kind of a standard to follow when we need to measure the “resistance level” of our network against malwares, but based on my knowledge and experience, I’d like to craft an essential checklist of questions to answer them by yourself:

1) Do you have the latest version of the current antivirus which is running on your system?

2) Is the antivirus capable to detect known malwares, rootkits, zer0-day exploits using a proactive technique?

3) Is the antivirus capable to detect unknown malwares, rootkits, zer0-day exploits using a proactive technique?

4) Do you have a patch-management strategy to fix operating systems and third-party applications vulnerabilities?

5) Do you have an Internet content filtering solution to block access to websites that host malicious codes?

6) Do you have an antispam solution to filter spams and scan for malicious attachments and embedded links?

7) Do you have the latest versions of the running softwares/applications that require installing an Activex component?

8 ) Do you have the latest version of the running Internet browser? “The latest browser have been engineered to add phishing/malware filtering”

9) Do you have a policy that forbid and block the usage of removable drives in your network?

10) Do you have a policy that forbid and block to install unapproved softwares?

11) Do you have a bandwidth monitoring solution to track network and Internet protocols usage in real-time?

12) Do you have a firewall/UTM solution that supports Internet traffic virus scanning?

13) Do you have an IDS/IPS solution that can observe malwares activities in your network?

14) Do you run a honeypot that monitors the dark-space in your network/DMZ for malware propagations?

15) Do you have the proper FW ACL’s that prevent inbound/outbound traffic related to malware communications?

16) Do you have a “malware outbreak incident response” plan?

17) Do you follow the concept of “Least Privilege” whenever you install/configure a software/service?

18) Do you have a training program that gives you or your team the needed malware-related skills?

19) Do you have a “malware containment strategy” in case of any large-scale propagation?

20) Do you have a solid backup & recovery of data and system in case of data loss due to a malware infection?

21) Do you have security awareness training for users to reduce the number of infections or to improve the user’s actions in reporting incidents?

22) Do you have a secure deployment of new machines in your network? (Up-to-date OS, up-to-date AV, hardened OS, approved applications are installed, limited user permissions).

23) Do you follow a password security policy in your network? (network shares passwords, administrator account password, complex passwords, password expiration, changing default passwords)

If you have anything not mentioned in this list, you’re welcome.

How DNSChanger will invade your router if you changed the default password?

How DNSChanger will reach your management console if you restrict access from a specific IP (e.g, admin machine who is more careful than users)?

How DNSChanger will infect machine if you filter fake-codec websites/pages (e.g, using websense)?

How would you know if some hacker/malware is doing any malicious activity in your network without deploying an IDS ?

See our problem is we don't follow the book ...

As you wish, don. 

Countermeasures against DNSChanger:


1) Change your router default password to something complex. Make sure it's long, and contains symbols and numbers.

2) Configure your router to allow management access from specific machine only (e.g, Admin PC), this will prevent infected machines from reaching your router.

3) Update the current firmware to fix any security issues.

4) If possible, change the management port to something else. (e.g, port 80/443 to 555)

5) Configure Syslog/SNMP on the router to watch any configuration modifications or failed login.

6) Rename the admin account on the router, Or see next.

7) Disable/delete admin account, and create another one with different name and password.

8 ) Deploy an IDS on your network to detect malicious activities (e.g, router user/pass brute force attack / requests to rogue dns servers / video codec downloads )

9) Deploy an URL filtering software/appliance that filters access to any malicious websites/pages that provides codec/fake codecs.

10) Disable UPNP on your router, becuase it's not secure anymore. check here: http://www.google.com/search?hl=en&q=upnp+exploit+router

11) Block access to these IP's (85.255.116.164 / 85.255.112.81)

12) Use Purenetwork Security scan for wireless networks, http://www.purenetworks.com/securityscan/

13) Keep your machines up-to-date. Most malwares targets a specific vulnerability to reach the system.

14) Get legitimate video codecs, install them on your machines, and inform your users that their machines are ready to play any video format and there is no need to download codecs from untrusted sites. check http://www.free-codecs.com/download/K_lite_codec_pack.htm


Safe browsing ...

I've compiled a countermeasures list to stop and prevent DNSChanger

check here

http://extremesecurity.blogspot.com/2008/06/use-default-password-get-hijacked.html

If you want to make this process more exciting, treat it as hunting. Have you watched AVP (Aliens vs Predators). After you got the sample from Nepenthes, you can run it inside a "controlled" and "restricted" network. Then use some sniffing/ids/ips/av tools to observe the life-cycle of the malware, from infection to detection. With this you can build a strong skills about malwares analysis and how to build defenses. For more infomation about manual malware analysis, give it a try here:

http://extremesecurity.blogspot.com/2008/02/analyze-malware-infections-on-your-own.html

http://extremesecurity.blogspot.com/2008/02/analyze-malware-infections-on-your-own_10.html

http://extremesecurity.blogspot.com/2008/02/malwares-containment-basics.html

http://extremesecurity.blogspot.com/2008/02/malwares-containment-level-ii.html

http://extremesecurity.blogspot.com/2008/03/malwares-containment-quarantine.html


http://extremesecurity.blogspot.com

Hi all,

I'm Xmachine, a new member here in the EHN forum. I'd like to invite everyone to check out my new blog about malwares and security.

http://extremesecurity.blogspot.com/

Hi,

Sometimes, AntiVirus softwares will be defeated, then you'll be in your own. I've written on my blog about analyzing and cleaning malwares on your own. check them out :

http://extremesecurity.blogspot.com/2008/02/analyze-malware-infections-on-your-own.html

and

http://extremesecurity.blogspot.com/2008/02/analyze-malware-infections-on-your-own_10.html

enjoy