Security Ripcord

While everybody has been busy responding to Conficker/Downadup a nasty little virus loosely known as Virut has begun to make itself known.  When I first heard about this a co-worker pointed me to a new post at the Microsoft Malware Protection Center: There’s a New Virut on the Block.  Over the next few days some of the other software vendors started posting their findings about this new mutation: Microsoft, Symantec, McAfee, TrendMicro, ThreatExpert, Sophos (they call it Scribble).

This virus is especially fun because it is very good at propagating throughout a Microsoft Windows environment very quickly.  Here are some of the most interesting features:

Virus:Win32/Virut.BM

Win32/Virut.BM disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP.

The virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from machine to machine.

W32/Scribble-A

A injects a malicious iframe into files whose extensions start with HTM, PHP or ASP, with affected files detected as Troj/Fujif-Gen. At the time of writing the iframe points to a site that hosts more malware.

PE_VIRUT.BO

This file infector connects to a remote IRC server. It then joins a channel to receive and execute commands on the affected system. This routine effectively compromises system security.

I can hear what you are thinking about these capabilities.  Nothing too unusual.  Companies should be able to handle this sufficiently.  It appears that the Anti-Virus vendors are on top of the situation so prevention and clean-up should be a breeze.  Well, that is where the complications begin.  Remember that little bit about disabling Windows File Protection?  This means that Virut can and will infect critical system files.  One detail that some AV vendors leave out or bury is the fact that cleaning up after Virut is not that easy.  Microsoft helps us with a little note in their write-up.

Virus:Win32/Virut.BM

Note: The method of infection used by Win32/Virut can damage some infected files beyond repair. In these cases, in order to return a machine to its pre-infected state, it may be necessary to install a clean backup of the operating system and associated applications.

Now it starts getting interesting.  Let me give you another scenario.  Your organization is very robust and you are using roaming profiles to allow your users to log into multiple workstations.  All of a sudden your server that hosts these roaming profiles is infected.  Users start logging in because that is what they do.  Bang, workstation after workstation is infected.  The only way to stop it is to stop users from logging in or taking your roaming profile server offline.  Who’s going to make that call?  No worries, your users don’t have administrator privilieges, correct?  Of course, it does not have to be a roaming profile server.  Do you have any file sharing configured within your network? Sweetness.

Here is a great scenario for administrators.  Do you have any web-based administration tools?  What about your developers?  No admin tools, okay, do you have any internal websites?  Wow, suddenly this is adversely affecting a whole bunch of applications and not just the operating system.

So now I’ll let you decide.  Would you rather spend your time rebuilding your critical systems and user workstations or spend the time doing a little preparation?  Actually, the protections are all the same ones that every security professional has been pushing over the last five years.  There is nothing new or golden.  But lets go over a few (this is not a comprehensive list) so that I can say I pointed you in the right direction.  By the way, if you have some to add, please add a comment or two.  As usual, all of these should be evaluated to determine if they do reduce risk while not adversely impacting business operations.

Quick Techniques:

• If it is determined that a server that provides roaming profiles, login scripts, or any network share has been infected the systems should be immediately isolated from the network.  Users should not log into any systems that require roaming profiles or are connected to network shares until the server(s) that provide this functionality are clean.
• All systems should be updated to include the new virus definitions provided by the AV vendor.  If maintenance agreements are in place, the AV vendors should be contacted to determine if they have provided definitions or protections for the new strains of the Virut virus currently propagating in the wild.
• All network and host-based IDS/IPS systems and applications should be updated to include new signatures associated with detecting the activity generated by this malware.  If maintenance agreements are in place, the network and host-based IDS/IPS should be contacted to determine if they have provided definitions or protections for the new strains of the Virut virus currently propagating in the wild.
• Remote systems such as laptops should be required to update their AV software and scan the system before being permitted to connect to the network.
• Users should be required to scan all removable media (regardless of size or content) on an isolated, patched, and AV up-to-date virus scanning system before being allowed to connect to an computer (server or workstation).
• On critical resources create a local administrative level account Where possible isolate critical systems from network shares and resources.  Temporarily band network login, the use of removable media, and any unnecessary network activity such as checking email or browsing the Internet from these resources.  This may require the creation of a local (non-roaming profile) administrative level account to administer the system in case the roaming profile or server providing login scripts is compromised.
• Complete, operating system level backups of all critical assets should be created and tested to ensure that these systems can be recovered quickly and accurately.
• Monitor the list of viruses cleaned by Microsoft Malicious Software Removal Tool to determine when it provides functionality for the new strain of Virut.  Have administrators practice remotely and locally deploying using this tool.
• Monitor network traffic for bot-like activity connecting to Internet servers as outlined by AV site Virut descriptions.
• Specific administrators should be assigned to monitor for updated information from AV vendor websites.

Don’t think those are hard enough to implement threat or no threat?  Try these long term protections.

Long Term Techniques:

• Users that do not require administrator capabilities should not be given administrator rights on their systems.
• Systems that do not require access to network shares and other resources should not be configured to utilize these shares or resources.
• Network resources and user profiles should be segregated by domain restrictions provided through robust Active Directory configurations.
• All systems and servers (on which it does not pose an adverse impact to operability) should have centrally managed AV and Host-base Intrusion Detection/Prevention software installed.
• Autorun should be disabled on all systems and servers.
• All operating systems and third party applications should be routinely patched.  All unnecessary operating system functionality or third party applications should be removed from any system that does not require them to operate or provide business related functionality.
• Review and upate all maintenance agreements with AV and network/host-based IDS/IPS vendors.
• Review, update, and implementation of a policies detailing acceptable use pertaining to removable media, email usage, and Internet usage.

All of this said I would like to remind everybody that the key to incident response is the preparation phase.  If we are not thinking about how to handle these situations within our environments then we are not going to be prepared.  As I stated before, this virus is nothing special in the grand scheme of malware.  Good security should limit, quickly contain, and eradicate an infection.   Not taking the affects of a virus such as this into consideration, however, is going to mean some long evening and weekend hours for the server and workstation administrators.  It also means that funds that could have been spent on increasing protections are going to be wasted on the clean-up effort.  Hopefully this put the bug into your ear and gives you a little information and methodology to help you educate others within your organization.

As I stated before, please leave a comment if you would like to add something.  Quick stories about how Virut affected your organization may help others understand what they could be up against.

Go forth and do good things,

Don C. Weber

---

Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.

---

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.