 |
 |
|
October 24, 2003Flea: New EMail Virus tried to attack meWell, apparently there is a new worm out there called Flea. This little sucker can execute automatically when users open HTML formatted emails in Microsoft Outlook or Outlook Express. Unlike most Windows nasties, the bug does not depend on a user opening an infectious file to do its mischief, and guess what... I almost infected myself. I say almost, because a funny thing happened. My latest work with my Intrusion Prevention System (IPS) that provides mandatory access control included a new feature this week. I added the ability to shield the 'Windows base install directory' from untrusted access. This was acomplished by setting a security policy which allows read and execute access to the systemroot directory (normal c:\windows in XP) and all its subdirs, but prompts the administrator with a default DENY if anyone attempts to write or delete anything in the Windows directory, unless its Windows Update. Well guess what? This morning in my inbox seemed to be a harmless message that passed my Spamassassin server filter and my host-based anti-virus scanner. When I clicked on it I was prompted from my IPS code that there was an attempt to write to the Windows directory, something I know I didn't ask for. I clicked the "Deny Access" button and the attack ended. It hence stopped the propogation dead in its tracks, and the 'Flea" was dead. I am kinda happy I added that feature this week. It has already paid for itself by protecting me. The anti-virus product I use from NAI didn't have a signature for this beast. And there lies the problem with all such products, not just NAI. Signature based policy enforcement alone is not enough. Strong security policies which use anomoly detection with least privilege go a lot further. In my case, I was protected from this unknown threat because I already determined that there is no reason for anyone or anything to write to the Windows base system unless it is Windows Update itself. (Well to be honest there are some other policies as well to allow logging etc, but that is out of scope of what we are talking about) In applying this policy, it doesn't matter if a new strain of this attack occurs. Its propagation is revoked because it goes against the nature of the policy defined. Man what a neat way to see my code work in action when I wasn't expecting it! Good way to end a great coding week! Posted by SilverStr at October 24, 2003 11:45 AM | TrackBackComments
Kudos. Wish I would have had some code like that on one of my user's desktops earlier this week. Posted by: fozbaca at October 24, 2003 12:06 PMSounds pretty cool. You're still running outlook express again why? :) Posted by: Arcterex at October 24, 2003 12:57 PM |
 
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
December 2005
November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 |
|
