download issue 24 here - Help Net Security

More documents

Recommendations

Info

Office applications (Adobe Reader, Microsoft Office, etc.) are being actively targeted by malware authors. Malicious documents “in the wild” that try to infect your machine by exploiting vulnerabilities in the office applications abound. For more than a year now, PDF files targeting Adobe Reader have been quite popular with malware authors. I assume that you need to use vulnerable office applications on your business computer, and that applying patches to fix vulnerabilities is not always possible, or that it requires leaving your machines unprotected for a time. I also assume that using alternative office applications to change the attack surface is not an option for your business. The techniques featured here help to protect you from malware that targets the general Internet population. These techniques are not appropriate to protect you from targeted attacks. In a targeted attack, the malware author has information about his target that allows him to design his malware to operate in the (restricted) environment of his target. An example of malware used in a targeted attack is a malicious PDF document designed to steal confidential documents from a competitor. I had one important criteria for selecting techniques to feature in this article: use only free software. Least-privileged user account (LUA) Almost all shellcode I see in malicious documents (PDF, Word, Powerpoint, …) found “in the wild” does the following: 1. Download a trojan from the Internet using HTTP 2. Write the downloaded executable to SYSTEM32 3. Execute the downloaded executable. www.insecuremag.com 38
This infection method only works if the user is the local admin. If the exploited program has no rights to write to SYSTEM32, the shellcode will fail in its task and the Trojan will infect the machine. To protect your users against this type of attack, restrict their user rights. Windows Vista and later Windows versions do this for you with UAC, even if youʼre an administrator. On Windows XP, you have to use a normal user account instead of an admin account to achieve this. But running with LUA on Windows XP is not always easy. If you really need to allow admin rights on Windows XP, you can Itʼs not always easy to launch a program with DropMyRights, as there are many ways a program can be launched on Windows. For example, it can be done with a file-type association or from a browser. To help you configure still prevent high-risk applications (like Adobe Acrobat and Microsoft Office) from having full control over the system by restricting their rights. This is achieved by using a restricted token for the processes of these applications. There are 2 popular tools to launch programs with a restricted token: • DropMyRights by Michael Howard • StripMyRights by Kåre Smith. Both tools create a restricted token (by removing privileges and denying groups that provide local admin rights) and then launch the target program with this restricted token. Windows to always restrict the rights of a specific program, StripMyRights also supports the “Image File Execution Options” method with the /D option. www.insecuremag.com 39
Page 5 and 6: 25 million new malware strains in o
Page 7 and 8: Google hacked, plans to leave China
Page 9 and 10: Hacker attacks on healthcare organi
Page 11 and 12: Even though most standard stacks us
Page 13: Server support still missing Unfort
Page 16 and 17: What are these new approaches? Let
Page 18 and 19: The need for new security controls
Page 21 and 22: How many times have you, as a secur
Page 23 and 24: 1Password interface Although this i
Page 25 and 26: The option “Never prompt for mast
Page 27 and 28: The master password on the iPhone a
Page 29 and 30: Identifying those applications is n
Page 31: The single tool trap Scanning tools
Page 34 and 35: Cloud Security and Privacy By Tim M
Page 36: Spam and phishing scams will follow
Page 41 and 42: Hook-createprocess.dll is a DLL tha
Page 43: Here are some of the Twitter feeds
Page 46 and 47: organizations the tools they need t
Page 48: This is not unlike other business o
Page 52 and 53: acronyms without researching their
Page 54 and 55: process of calculation the answer.
Page 57 and 58: In any environment, large or small,
Page 59 and 60: Remoted (running on the server) rec
Page 61 and 62: alpha group alpha events 10000 Ch
Page 63: RSA Conference 2010 (www.bit.ly/rsa
Page 66: And most of the time, they fail bec
Page 69 and 70: We are also working with SANS on de
Page 71 and 72: There are three components involved
Page 73 and 74: " • Support for health checks by
Page 76 and 77: Sectool (www.net-security.org/softw
Page 78 and 79: To achieve this, retailers must shi

download issue 24 here - Help Net Security

Create successful ePaper yourself

Delete template?

Save as template?