Monthly Archives: February, 2013

NBC.com Attackers & ArcSight ESM

Detecting compromised hosts affected by Droppers on compromised NBC.com with a correlation engine

I was alerted the NBC.com by a really proactive collogue via a whitelist. Further digging lead me to an excellent dissection up by Dancho Danchev. This might be a watering hole or just a nice money making opportunity. Recently journalism websites have been targeted for Watering Holes, however money is usually the bigger reason.

How can ArcSight ESM or similar correlation engines for detection if any of your organization’s assets have been affected?

Proxy and DNS and some IPS/IDS & Firewalls monitoring can report domain names and IPv4 addresses. In most cases both domain name lists and IP address lists are helpful for basic proactive detection.

IP4 & Domain watch list from my collogue and the Dancho Danchev blog and two additional domains I found for a Filter.
Detection Ratio is
how many URL Scanners in Virus Total detected any malicious code:

IPv4

Domain Name

Detection Ratio

Reference1

Refence2

97.79.236.200

myauditionsite.com         

0/33

Virus Total Report

 

74.53.9.162

toplineops.com             

2/32

Virus Total Report

URLQuery.net

66.96.145.104

beautiesofcanada.com       

2/34

Virus Total Report

 

66.77.124.26

jaylenosgarage.com         

1/34

Virus Total Report

 

62.75.204.12

netbridgesolutions.net     

1/34

Virus Total Report

URLQuery.net

50.63.202.10

gotina.net                

0/34

Virus Total Report

URLQuery.net

173.254.28.49

shutterstars.com          

0/33

Virus Total Report

URLQuery.net

173.201.92.1

dedirt.com                 

0/33

Virus Total Report

 

173.201.92.1

madamerufus.com            

0/33

Virus Total Report

URLQuery.net

173.201.92.1

electricianfortwayne.info  

2/33

Virus Total Report

 

173.201.92.1

injurylawyercolumbus.info  

4/33

Virus Total Report

URLQuery.net

173.201.92.1

injurylawyercleveland.info 

3/34

Virus Total Report

 
 

dogsrit.com                

1/33

Virus Total Report

 

68.178.232.100

spiritualspice.us          

0/34

Virus Total Report

 

68.178.232.100

herbalstatelegal.com       

1/33

Virus Total Report

 

173.201.92.1

injurylawyerspringfieldmo.info

3/33

Virus Total Report

 

173.201.92.1

injurylawyerindianapolis.info

4/33

Virus Total Report

 

 

A list for Filters & or Active Lists to help verify infection or issue. Redirection or secondary related information after the infected, compromised website is visited and your organizations asset is possibly redirected to further mayhem.

IPv4

Domain Name

Reference1

Refence2

 

instantmoneymethod.net/1105/optin.html

URLQuery.net

Website Screen Shot

173.201.92.1

bvkdigital.us

URLQuery.net

 
 

methuenedge.com

URLQuery.net

Last Scanned 31/12/12

72.167.37.11

divergentinfosoft.com/images/logos.gif?1b761=1012329

URLQuery.net

 

173.201.92.1

bedbugsbyte.com

Contact

 

 

The attack is carried through the HTTP protocol.

How to detect via ArcSight ESM

  • Setup your Filter (s) “NBC-Com Suspect Attackers” which includes both the IP and the Domain Name information
    • Otherwise, Setup your Filter “NBC-Com Suspect Attackers_IP” if you only have IP logged data
    • Otherwise, Setup your Filter “NBC-Com Suspect Attackers_DN” if you only have IP logged data
  • Open a new Channel with log data from a Firewall, Web Proxy Server, DNS Server or any Connector which contains IPv4 or Domain Names
  • Set the dates of the Channel back to at least 21/02/2013
  • Add Protocol = HTTP & OR Port = 80 as a condition of the Channel
  • Add in the Filter(s) as a condition of the Channel
    • Protocol = HTTP & OR Port = 80
    • Filter = “NBC-Com Suspect Attackers”
  • Give the Channel time to load, adjusting the sliding timeline as required for performance and monitoring
  • Investigate hosts communicating with the suspect external actors
    • Assign higher priority to those end points which are most critical, try to communicate the most externally, behave in a strange manner or breach the perimeter.
    • I commonly add these suspect hosts to an Active List to observe as Potentially Compromised Hosts if they are not re-imaged or otherwise cleaned.
    • Use the data to build out a report showing how many compromised assets your department caught that anti-virus or anti-malware could not J

 

 


 

Power outages, mud and slow internet

ITSec Challenges in a less developed country Appropriate Reddit

It is a strange feeling when the tour book is strangely correct about your holiday location. There really is only 1 international ATM machine for an island of 330,000 people. The power goes out, allot. The police take up, um, “road side collections” and can be quite heavily armed. I don’t know when I felt more scared, being taken sued last year or when my father-in-law politely drove off after refusing to pay an on the spot fine/bribe. Tanzania like any other country has challenges. Some, quite frustrating to IT goals such as extremely expensive, low quality, slow internet service or frequent, unstable quality electricity. It is possible to have the necessary technology to run an organization in the harsh IT environment.

Friendly tips for basic IT sanity in Tanzania

  1. Don’t expect electricity clean, stable electricity all the time.
    1. Use uninterruptable power supplies on all your desktops.
    2. Have building battery backups of a generator with fuel.
    3. Always connect your electronics to a power strip that is at least a surge protector.
  2. Expect to lose your stuff.
    1. Any country where the majority of the population lives on about $1.70 a day gives way to desperation/petty theft.
    2. Employees can be easily bribed by your competition. Pay and treat them well.
    3. Encrypt your drives, from hard drives to SD cards. It is far better to just lose your smartphone with encrypted data than to lose your smartphone with sensitive or embarrassing information on it which is accessible.
    4. Weather and the environment is harsh, think about hardware failures.
  3. Limited number of talented IT technologists
    1. One of the islands we visited, part of Zanzibar has received electricity in 2010. Schools near Dar es Salam have no desks let alone electricity. Computer technology is new here.
    2. Learn some Swahili, it will help you explain issues. Google translate Swahili is in its infancy and cannot currently be relied upon.
    3. Research your staff or support company well. There are very few options but ask around before you sign any contract or new hire.
  4. Bandwidth is not up to European standards.
    1. Some Europeans and Asians have the good life when it comes to the internet. Lightning fast speeds and great quality. This is Africa.
    2. Expect to pay allot for any internet services.
    3. Have a backup provider just in case yours fails.
    4. Do not take the cheapest unless it is a promotional deal from a reputable provider.
    5. Use a router/modem that also has a 3G or higher backup connection. This can keep your office or you up and running if your provider loses power.
  5. Cost and availability
    1. What is available in other parts of the world might not be in Africa.
    2. High end hardware or software might not be sold or supported here due to lack of customer base.
    3. If you must import hardware bring spares.
  6. Security
    1. Availability: Backup to a mirrored drive, save to the cloud uploading and synchronizing as required. Use more than 1 DNS provider and do not solely rely on your ISP.
    2. Integrity: Lock down those USB drives and use end point protection.
    3. Confidentiality: install encryption software for hard drives, cloud backups and email. The government and possibility others most likely monitor unencrypted communications

Tanzania and similar countries are challenging but can yield successful IT implementations. Few places in the world make the challenge worth it. Beaches, live coral, lions, elephant, galloping giraffe and the Rift Valley. The people are generally happy, beautiful terrain, enticing lagoons and cultures.

I didn’t plan on spending my New Year’s Eve covered with mud after trying to push a SUV out of an impassible road. Luckily someone came along with a shovel by chance within an hour. Our rescuers tried to tow us out but the rope broke. Although it was the best New Year’s Eve ever, we could have avoided the mud baths if we had packed a rope and shovel.