1 / 20

Securing Gateways Identifying/Defending E-Mail Attacks

Securing Gateways Identifying/Defending E-Mail Attacks. A. Padgett Peterson, P.E., CISSP Corporate Information Protection Lockheed Martin Corporation Orlando, Florida Las Vegas, 26 July, 2000. The Problem. In recent months the most serious problems have been from the “Mass Mailer” viruses

dard
Download Presentation

Securing Gateways Identifying/Defending E-Mail Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing GatewaysIdentifying/Defending E-Mail Attacks A. Padgett Peterson, P.E., CISSP Corporate Information Protection Lockheed Martin Corporation Orlando, Florida Las Vegas, 26 July, 2000

  2. The Problem • In recent months the most serious problems have been from the “Mass Mailer” viruses • May take many forms • Word Documents: Melissa • Excel spreadsheets: Papa • VBS files: Loveletter • Script files: KAK • All have common roots • Are other vectors but less common appbh00

  3. What makes MassMailers easy appbh00

  4. Mass Mailers • From a corporate/agency standpoint, the really disruptive mechanism are those which broadcast using global address lists (GAL) • potential for thousands of messages • 50,000 Melissa seen • 200,000 LoveLetter appbh00

  5. Mass Mailers • Thusfar .EXE files are constrained to local access • e.g. PrettyPark uses .WAB - has no access to GAL • All attacks using GAL are VB based (VBA/VBS/ActiveX) appbh00

  6. Mass Mailing http://msdn.microsoft.com/library/devprods/vs6/vc++/vccore/_core_mapi.2c_.enabling_your_program_for_mail.3a_.overview.htm appbh00

  7. Looking Sdrawkcab • Early 1998 - vendor told that inclusion of CreateObject in VBS was not a good idea • Ignored as usual • Russian New Year attack demonstrated capability of embedded scripting • Patch issued for RNY WORD/EXCEL. Required 32 Mb download. Ignored PowerPoint. appbh00

  8. Looking Sdrawkcab - Dec 1997 • Outlook added HTML capability • discovering exactly which HTML was like pulling teeth appbh00

  9. Whazzat ? Image is on remote site <DIV><STRONG><FONT color=#000000>Experiment #17, HTML generation test</FONT></STRONG></DIV> <DIV><FONT color=#000000><EM><U>This is a test of HTML response capability</U></EM></FONT></DIV> <UL> <LI><FONT color=#ff0000 face="">If you see more than this message</FONT></LI> <LI><FONT color=#003f00 face="" size=2>text please let me know </FONT></LI></UL><p><a href="mailto:padgett@xxxxx">Padgett</a></p> <center><img src ="http://www.(outside ISP)/padgett/judge.jpg"></center> </BODY></HTML> appbh00

  10. July 00 - Surprise http://www.microsoft.com/technet/security/bulletin/fq00-049.asp The Office HTML Script vulnerability, allows malicious script code on a web page to reference an Excel 2000 or PowerPoint file in such a way as to cause a remotely hosted file to be saved to a visiting user's hard drive. appbh00

  11. Since Then • W97M/Alina.A@MM • W97M/Antisocial.E@MM • W97M/Bench.E@mm • W97M/Buffer.A@MM • W97M/MadCow@MM, WM97/Melissa-D@MM (over 50 Melissas now) • W97M/Cobra.F@MM • W97M/Evolution.E@MM • W97M/Jany.B@MM • W97M/Lucia.A@MM • W97M/Nail.B@MM • W97M/Ping.B@MM • W97M/Prilissa.A@MM • etc, etc, etc appbh00

  12. What is the common factor ? • ALL use CreateObject • Are other possible constructs • GetObject (must preexist) • CreateTextObject (using executable ASCII) • GetTextObject • and one more we’ll mention later • but not many appbh00

  13. Gateway Factor • “Block all Scripting” • something about a baby and a bath ? • “Block all executables” • care to be a bit more specific: ??_ AD? ASP BAS BAT BIN CDR CHM CMD COM CPL CRT CSC DEV DL? DO? EXE GMS GZ? HLP HT? IM? INI INS ISP JS? MD? MPP MPT MS? OBD OBT OCX OLE OV? PCD POT PP? RTF SCR SCT SHS SMM SYSVB? VS? VXD WBK WPD WS? XL? XML XTP appbh00

  14. More Appropriate • Allow only permitted extensions • Block anything with fab four • This re-establishes sandbox • but allows “safe” scripting & VBS appbh00

  15. At Desktop • Vendor has 8 Mb patch (2 Mb 2000) • Affects many elements • http://support.microsoft.com/support/kb/articles/Q262/6/18.asp • Does seem to work well with today’s problems, but what about tomorrow ? • Executable written to TEMP directory prior to screen popup • exploit already being discussed appbh00

  16. At Desktop • Best answer probably Integrity Manager/Behavior blocker • no updates required unless new mechanism discovered • doesn’t happen very often • If network application tries to write to disk, or execute local file, ask first. • Mail, Browser, FTP, ... appbh00

  17. That other construct • CLSID • essentially a call to an internal element • generally one marked “safe for scripting” • and shouldn’t be • may allow creation/writes without “CreateObject” • method used by BubbleBoy/KAK • shouldn’t be in a script anyway appbh00

  18. Conclusions • Gateways • filters need to be developed that are both specific and granular • need to be able to apply/reconfigure immediately • (vendors often lag by several hours) • library of special filters needs to be developed • commitment from gateway for immediate action • specific line of authority to direct filters • consided “approved” attachments rather than bad appbh00

  19. Conclusions II • Gateways • can use multiple products - is a good idea re: scanners • choose defensible points and ones that can be reconfigured quickly. • Desktop • Integrity Management/Behavior Blockers may be more appropriate • slow updates • very large numbers appbh00

  20. Thank you Questions ? A. Padgett Peterson, P.E., CISSP padgett.peterson@lmco.com appbh00

More Related