Combating Zero Day Attacks

You might have secured your network against known vulnerabilities, but what do you do about the unknown ones? Welcome to the world of Zero Day Attacks. We tell you all about how to combat them.

Saturday, October 14, 2006

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

You have firewalls at each and every entry or exit point of your network. You regularly patch and update antiviruses on all servers as well as nodes of your network. Your operating systems are patched and updated regularly and you have good spam filters and antiviruses to check all the incoming and outgoing mails and attachments. Moreover, you do not allow any foreign machine to enter your network unless and until it's scanned thoroughly. Even your password policy is so strong that no password can be smaller than 8 alphanumeric characters, which is automatically changed every fourth night. These are reasons enough to lull you into believing that you are well and truly secure. Aren't they?

We don't want to scare you but think of a scenario where there is a worm for which no antivirus is ready nor is there any antidote for it. Even your firewall doesn't recognize its signature, nor does your anti-spam have a filter for it. How are you going to protect your systems against such kind of a threat? Now, you must be wondering how can this be possible, Which are these worms that no security application or device knows about? Welcome to the world of Zero Day Attacks!

What are ZDE and ZDA?
Irrespective of the brand, type or technology, each and every appliance or device has some or the other bug which can lead to a compromise in security. Some of these flaws are known while others are not. Now there are organizations and individuals who hunt for these security related bugs (also called vulnerabilities). The nature of work done by these organizations or individuals could be different. And depending on that, either they will publicly release the information about the vulnerability and help in the development of a patch for the exploit or they will release it to the black hat community and help in creation of an exploit for that.

Whenever the underground community comes to know about the flaw, they will start creating an exploit for it. The time between the creation of the exploit and the public availability of the patch for the exploit is called a Zero Day Exploit or ZDE, and any attack, which happens using such an exploit is called a Zero Day Attack or ZDA.

Why should I care?
Security is a key concern for everybody. Every organization has made heavy investments into various security products and solutions to protect their networks, servers, desktops, and applications against malicious code. Already, they suffer from heavy financial and productivity losses while taking care of known attacks. Imagine then what an unknown attack can do? It can be the nastiest type of attack you have ever seen. The two key factors, which make a ZDA so dangerous, are its uncertainty and unpredictability. Technically, nothing is known about a ZDA at the time it happens. Plus, in this case ignorance is not at all bliss. If you don't know about something then how you can protect yourself against that. There might be a worm running in your computer right now doing all sorts of nasty things and you don't even know about it because no antivirus has the signature to identify it.

And even though all your softare is patched with the latest updates, your machines remain infected and you could lose data, money, and productivity. The other problem with ZDA is that even if you know there is a ZDE available, you can't be certain as to when you're going to see a patch for that in future. It can take anywhere from a few hours to a few months to get a patch for any ZDE. So, if you are using an application with the ZDE, you can expect a ZDA to happen at any point of time during this duration.

Let's take a very recent example. A new vulnerability for MS Word 2000, running on Windows 2000, was discovered on 2nd September this year. Microsoft was planning to ship the patch on 12th September, but at the time we were going to press, there was no patch available for it. So the only way of protecting yourself from it, which any security company would tell you, is not to open any unknown documents. Similar to that, there are many other Zero Day Exploits surrounding us, which can attack at any point of time.

So what to do?
That's a million dollar question, and we'll answer that in this story. Contrary to belief, there are plenty of ways through which you can fight against ZDAs. And in this article we try to figure out the most common ones. The first one in our list is called Fuzzing. You might have heard about it, because it's been talked about quite a bit in the world of security. Knowing about fuzzing will also help you understand how ZDEs are discoverd.

See and configure rights on different APIs and files responsible for running any application

Understanding Fuzzing
No matter how great a developer or how securely he may write a code, there has to be some or the other bug present in the application. According to experts, in every 1000 lines of code there are on an average, 5 bugs present. And a good percentage of these bugs can be used for compromising the application. Now there are two ways of finding these bugs. First, is the traditional way in which some one sits and hunts for the logical errors in the application by using exception handlers and checkpoints. This technique becomes tougher when one doesn't have access to source code of the application.

In the second, we have fuzzers -software programs or scripts specifically created to look for errors in any piece of code or application. A fuzzer would virtually look for every input variable and try every possible combination of that input, and will try to find unhandled coding errors. Fuzzers are also known as Fault Injectors because they create and inject faults inside any application. You can easily download some very effective fuzzers from the Web and that too for free. These fuzzers can test errors on applications, protocols, files etc and are used widely to find new vulnerabilities such as Buffer Overflow, DoS, SQL Injection and XSS.

Now you must be wondering how to use fuzzers for preventing your network and devices from zero day attacks? Generally, it is assumed that finding vulnerabilities is the job of hackers or security agencies, or the people who made the software. Why should you put your precious time and money into it when you are already paying a hefty amount to the software vendors? This is best answered in two parts. First of all it will be always better that you get to know about any vulnerability which exists in your devices or apps before the hackers know about. And once you find out that vulnerability you can approach any security agency or the vendor of the product (in which you have detected the flaw) and ask them to fix it before the exploit becomes public.

The second and more important case will be when you have some costum made applications. Let's say a web based CRM package. In this case you are the owner of the product and if there is any vulnerability or code flaw in your application then no security agency will even get to know about the issue. So, you have to be proactive enough to run such kind of fuzzers on your application, figure out the flaws and fix them.

Fuzzers are not limited to finding exploits only. One of the fuzzer called PIRANA is capable of testing how strong your e-mail content filter is. We liked the fuzzer so much that we plan to include it in our spam filter testing benchmarks. There are a plenty of fuzzing frameworks available out there which let you find your own fuzzer for a specific test situation.

Application firewalls
The best way to fight against any kind of unknown attack is to restrict your application from showing any unwanted behavior. For that all you need is an application firewall. This is a tool which records any application for normal behavior and saves them in a profile. Whenever the application does something abnormal then it either creates an alert or it simply restricts the application from running. The concept is pretty much similar to SELinux but in case of AppArmor, an OpenSource application firewall, it's easier to configure and manage. In the following sections we also talk about a Windows based application firewall called SocketShield.

This software provides protection against ZDA worms from malicious websites by continuously monitoring the traffic coming from port 80

1. AppArmor: AppArmor is an OpenSource application firewall and is currently maintained by Novell. You can get the paperwork related to it from either http:/ /forge.novell.com/modules/xfmod /project/?apparmor, or you can compile and install it on top of any Linux distro. But if you want the easiest way out, get a copy of SLES 10 or OpenSuSE 10. Both distros have AppArmor out of the box. The benefit you get in this case, is the easy manageability and usage of the application using SuSE's well know configurator called YaST. The complete configuration is wizard driven and the application can be up and running in a couple of minutes.

For configuration, fire up YaST and select the AppArmor tab from the left pane. Clicking on this will show you all the wizards available to configure AppArmor. Now to add and secure any application, all you have to do is click on the 'Add Profile' icon. This will fire up a wizard. Now, browse to the executable file, which you want to secure.

After selecting the appropriate file, click on the Next button and proceed. In the next screen the wizard will ask you to run the application for some time. Run the application that you have just now added, to the profile for a few minutes and do all the normal tasks associated with it. This activity will help the wizard record all necessary files and APIs required to run the application. Once you have done this, click on the Finish button. This completes the task of securing your application. You can even fine tune the application settings and add or remove new APIs, files, paths and permissions to the application's profile in the the 'Edit Profile' option. Whenever any kind of virus or bug enters the system (be it known or unknown) and tries to modify the settings and parameters of the application, AppArmor will automatically detect, restrict and alert you about its activities.

WebApp can protect you from an attacker, pen-testing your website, by providing Form and Cookie validation

2. Socket Shield: Socket Shield is a utility that protects you against zero day worms and other malware coming through websites. Yes, you got it right, it only monitors traffic coming from port 80. It monitors the incoming stream of traffic for both known and bad IP addresses and exploits. This entire process is invisible to the user and doesn't impact system performance. In other words it protects computers from vulnerabilities by monitoring socket-level traffic for exploits and closing the socket when an exploit is detected, so that it does not enter your PC. This provides two levels of protection-Blocking and Shielding. The former uses a list of IP addresses that are known as providers of exploits, and all HTTP requests for any page in these domains are simply blocked. While in the latter, the program is 'exploit aware' for all current exploits as well as for a select list of 'immediate past' exploits, by their signatures and/or other uniquely identifiable components. When Socket Shield inspects a stream and discovers an exploit within that, it immediately blocks it and also that website.

Installing and using Socket Shield is very simple. Once it is run it starts monitoring the system and doesn't require any configuration from the user. If you want to customize it, then open its control panel and customize your installation, and view a list of exploits and malicious websites that have been blocked. It also gives you news from its vendors' Exploit Prevention Labs.

Socket Shield runs from the system tray and continuously displays its status. Under Net-work Activity, it shows all open processes running on your computer that have access to the Internet and the number of information bytes that have been sent and received.

Similarly, it shows a list of exploits it has prevented under the 'Exploits Prevented' tab and details about websites blocked by it under 'Malicious Sites Blocked' tab. As far as performance of the software goes, it managed to block access to all the malicious websites that we tried to access from the system.

Web server protection
Remember famous worms like Code Red and Nimda, that attacked Web servers and caused plenty of damage? As network security is becoming harder to penetrate because of firewalls, IDS devices, and secure gateways, hackers have turned to Web applications. WebApp.secure is a software for Web server hardening and Web application security. You can download it from www.websecurity.com/pe.htm. It uses intelligent web/insite technology (as it is called by its vendor) to recognize and enforce a website's intended use guidelines (how a Web server and the applications it runs, are meant to be used). All activity that does not meet its Intended Use Guidelines, is automatically blocked and reported. 

Prevx1 continuously monitors system and application behavior. When it finds suspicious activity it immediately alerts the user and its community database

Thus, it provides protection against zero day worms. Whenever a worm tries to exploit a vulnerability it will detect some change on the Web server and automatically block it. Other than zero day it also provides protection against SQL Injection attacks, URL parameter tampering, forceful browsing, cross-site scripting attacks, buffer overrun attacks and also protection against website defacement.

It also allows you to run multiple instances of the software to protect multiple IP-based virtual websites on the same server. You can run each instance separately with its own configuration. You can configure WebaApp easily in five steps. First of all it asks for the basic Web server configuration and then for entry points. These points are one or more URLs that are accessible without restriction from outside. Its web/insite feature automatically starts identifying the Intended Use guidelines. Next you need to define policies for directories, logs alerts notifications, etc when an attack occurs. The software does plenty of logging to provide an option for activity audit trails. Other than regular system logs, HTTP header logs, it also keeps a log of w3c standard fields. Next, you need to define performance tuning for the Web server and SSL properties. It also lets you do Form and Cookie validation. Once you have completed all these steps the software is ready to protect your Web server.

Next Page : Prevx1

Page(s)   1  2