Protect your network against Flame with ForeScout CounterACT
News headlines across the Internet are describing a very interesting new malware called Flame. (a.k.a sKyWIper). The deployment and action payload suggest this is a major evolution of malware with increased complexity and capability.
We have been deluged with questions from customers asking whether CounterACT can protect their networks against Flame. The short answer is “yes”. In this post, I’ll tell you how to configure ForeScout CounterACT to block several of the propagation techniques used by Flame.
At a high level, in order to protect your organization against Flame, you need to:
- Detect and block propagation attempts on your network
- Detect whether new hosts connecting to your network are infected by Flame
- Understand if all your managed systems are properly protected from infection by your antivirus of choice
Identify propagation on your network
To propagate, Flame looks for vulnerable services on your network. It uses some of the same propagation techniques that STUXnet used, which ForeScout products blocked on day zero. Blocking these propagation techniques is quite easy, you just need to configure ForeScout’s ActiveResponse technology. Here is how you do it:
CounterACT Policy check #1: Create a default policy looking for malicious host communicating on the network.
CounterACT Policy check #2: Create a policy that looks for a specific HTTP user agent which is embedded within Flame. HTTP USER AGENT check, matches= Mozilla/4.0 (compatible; MSIE 6.0; Windows NT5.1; .NET CLR 1.1.2150)
This policy will check systems in two ways: host OS inspection and network packet monitoring.
Detect if a new host connecting to your network is infected
There are several methods to detect the presence of Flame on a host before it connects to your network. The most straightforward is to check for specific file names and registry key values as shown below. The key thing that you need to know is that CounterACT can check unmanaged hosts in this way. You may feel comfortable that all your managed systems have proper endpoint protection (McAfee, Symantec, etc.), but it is important that your network be able to protect itself against unmanaged systems connecting to your network. (Think BYOD.) ForeScout CounterACT does this.
CounterACT Policy check #3:
- File search: \Program Files\Common Files\Microsoft Shared\MSSecurityMgr
- File Search: \Program Files\Common Files\MSAudio
- File Search: \Program Files\Common Files\MSAuthCtrl
- File Search: \Program Files\Common Files\MSAPackages
- File search: \Program Files\Common Files\MSSndMix
Registry Key Value (Registry Check for LSA registry modification)
Added key: Authentication Packages= mssecmgr.ocx
Are all your managed hosts protected by antimalware?
The new active payload that is inside Flame still has a lot to teach the security world as the full contents of the code are still being discovered. (Trust me this is really cool stuff in a dark, wicked kinda way.) By now, antimalware vendors have updated their products to detect and remove the Flame threat. However, your job is not done, because you need to ensure that your antimalware product of choice (McAfee, Symantec, etc.) is properly installed and running on every system you expect it to be. This is not a trivial task. Many of our customers have found out after installing ForeScout CounterACT that hundreds (in some cases, thousands) of endpoints were not running the required antivirus. CounterACT helps you ensure that all your endpoint security technologies are fully deployed, fully operational, and up-to-date. More information about this use-case is shown here. Below is a simple out-of-the-box policy that can be configured with just a few mouse clicks.
A final note: Flame is actually quite complex. This malware has an initial payload of 900k up to 6Mb and it can load additional “modules” increasing to 20Mb onto the host OS. This is a lot of code and a lot of possibility. This threat will evolve. Now add the capability that this malware can call back to a Command and Control server. (Remote control with payload changes=really wicked)
Why are we telling you something you probably already know? Because Flame will morph, and once it does, your existing antimalware products will (for a time) be useless. So you need day-zero protection. And that is what ForeScout’s patented ActiveResponse technology provides. ActiveResponse can identify and block day-zero threats that are propagating on your internal network. More details about ActiveResponse are posted here.
Additional information about Flame:
Bob Reny, CISSP #4696
ForeScout Technologies, Inc.