Subscribe via E-mail

Your email:

Latest Posts

Posts by category

ForeScout Blog

Current Articles | RSS Feed RSS Feed

Protect your network against Flame with ForeScout CounterACT

Posted by Bob Reny on Thu, May 31, 2012 @ 11:11 AM
  
  
  
  
Add to delicious  delicious  
  

Bob RenyNews headlines across the Internet are describing a very interesting new malware called Flame. (a.k.a sKyWIper). The deployment and action payload suggest this is a major evolution of malware with increased complexity and capability.

We have been deluged with questions from customers asking whether CounterACT can protect their networks against Flame. The short answer is “yes”. In this post, I’ll tell you how to configure ForeScout CounterACT to block several of the propagation techniques used by Flame.

At a high level, in order to protect your organization against Flame, you need to:

  1. Detect and block propagation attempts on your network
  2. Detect whether new hosts connecting to your network are infected by Flame
  3. Understand if all your managed systems  are properly protected from infection by your antivirus of choice

 

Identify propagation on your network

To propagate, Flame looks for vulnerable services on your network. It uses some of the same propagation techniques that STUXnet used, which ForeScout products blocked on day zero.  Blocking these propagation techniques is quite easy, you just need to configure ForeScout’s ActiveResponse technology. Here is how you do it:

CounterACT Policy check #1: Create a default policy looking for malicious host communicating on the network.

 Flame policy check 1

CounterACT Policy check #2: Create a policy that looks for a specific HTTP user agent which is embedded within Flame.  HTTP USER AGENT check, matches= Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1; .NET CLR 1.1.2150)

 Flame Policy check 2 resized 600

This policy will check systems in two ways: host OS inspection and network packet monitoring.

 

Detect if a new host connecting to your network is infected

There are several methods to detect the presence of Flame on a host before it connects to your network. The most straightforward is to check for specific file names and registry key values as shown below. The key thing that you need to know is that CounterACT can check unmanaged hosts in this way. You may feel comfortable that all your managed systems have proper endpoint protection (McAfee, Symantec, etc.), but it is important that your network be able to protect itself against unmanaged systems connecting to your network. (Think BYOD.)  ForeScout CounterACT does this.

CounterACT Policy check #3:

Flame Poliicy check 3 resized 600

File Exits:

  1. File search: \Program Files\Common Files\Microsoft Shared\MSSecurityMgr
  2. File Search: \Program Files\Common Files\MSAudio
  3. File Search: \Program Files\Common Files\MSAuthCtrl
  4. File Search: \Program Files\Common Files\MSAPackages
  5. File search: \Program Files\Common Files\MSSndMix

 Registry Key Value  (Registry Check for LSA registry modification)

 Flame policy check 3b resized 600

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Autenthication

Added key: Authentication Packages= mssecmgr.ocx

 

Are all your managed hosts protected by antimalware?

The new active payload that is inside Flame still has a lot to teach the security world as the full contents of the code are still being discovered. (Trust me this is really cool stuff in a dark, wicked kinda way.) By now, antimalware vendors have updated their products to detect and remove the Flame threat. However, your job is not done, because you need to ensure that your antimalware product of choice (McAfee, Symantec, etc.) is properly installed and running on every system you expect it to be. This is not a trivial task. Many of our customers have found out after installing ForeScout CounterACT that hundreds (in some cases, thousands) of endpoints were not running the required antivirus. CounterACT helps you ensure that all your endpoint security technologies are fully deployed, fully operational, and up-to-date. More information about this use-case is shown here.  Below is a simple out-of-the-box policy that can be configured with just a few mouse clicks.

 Flame policy check 4 resized 600

 

 

A final note:  Flame is actually quite complex. This malware has an initial payload of 900k up to 6Mb and it can load additional “modules” increasing to 20Mb onto the host OS. This is a lot of code and a lot of possibility. This threat will evolve. Now add the capability that this malware can call back to a Command and Control server. (Remote control with payload changes=really wicked)

Why are we telling you something you probably already know? Because Flame will morph, and once it does, your existing antimalware products will (for a time) be useless. So you need day-zero protection. And that is what ForeScout’s patented ActiveResponse technology provides. ActiveResponse can identify and block day-zero threats that are propagating on your internal network. More details about ActiveResponse are posted here.

Additional information about Flame:

http://blogs.mcafee.com/mcafee-labs/skywiper-fanning-the-flames-of-cyber-warfare

http://www.crysys.hu/skywiper/skywiper.pdf

http://www.computerworld.com/s/article/9227524/Researchers_identify_Stuxnet_like_malware_called_Flame_?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fs%2Ffeed%2Ftopic%2F85+%28Computerworld+Malware+and+Vulnerabilities+News%29

http://www.securelist.com/en/blog/208193538/Flame_Bunny_Frog_Munch_and_BeetleJuice

 

Bob Reny, CISSP #4696

Systems Engineer
ForeScout Technologies, Inc.

Tags: ,

Comments

There are no comments on this article.
Comments have been closed for this article.