Windows Security Features, Securing Microsoft Products

Microsoft has become very security conscientious since that whole Code Red / Nimda business back in 2001. They've added features like Mandatory Integrity Control, Windows Service Hardening, User Account Control, BitLocker, Windows Firewall, Data Execution Prevention (DEP), ASLR (Address Space Layout Randomization), Signed Binaries and LKM (Loadable kernel modules), Windows Defender, Malicious Software Removal Tool, Microsoft Baseline Security Analyzer, Windows File Protection - WFP - and System File Checker - sfc.exe (just run sfc /scannow or /scanboot etc. to check and fix broken system files), Security Configuration Wizzard (scw) in Windows Server, etc.

Features that can easily compete with similar products in UNIX and *NIX systems, like chroots, jails (Windows Service Hardening), RBAC / su / sudo (UAC, MIC), GELI/GBDE GEOM classes on FreeBSD , crypto-loom/dmcrypt on Linux (BitLocker), IPF/IPFW/PF/IPTABLES (Windows Firewall Advanced Security -> wf.msc / WFAV in mmc), OpenBSD W^X, SSP, Linux PaX / Exec Shield (ASLR, DEP), IPSEC, Signed Binaries / LKMs, chkrootkit/RootKitHunder (Windows Defender, RootKitRevealer, StriderGhostBuster), Bastille (a UNIX hardening tool like Security Configuration Wizzard - SCW on Windows Server. Available for Linux, HP-UX, etc) and so on.

Even with development tools, GCC has ProPolice / SSP, Visual Studio has the /GS switch to protect against buffer overruns.

It's pretty clear, the security features are there, it's up to LAYER 8 (you!) to put it in practice.

The key idea here is *mitigation*. Don't abuse the Administrative accounts, read and apply those security guides and above all, use common sense. After all, Microsoft runs Windows on their servers (they even run 2008 while it's still in release candidate stage), and they're one of the biggest targets for abuse. There goes the argument that you "can't secure Windows".

Here's some links (they try to point to the more technical guides):

• Here's an overview of Vista security features, at a glance.
• Windows Vista Integrity Mechanism Technical Reference
• Windows Vista Security and Data Protection Improvements
• Microsoft Security Center
• Microsoft Security Development Center
• Microsoft Security Research Group
• Microsoft TechNet Security Center
  
• WSUS - Microsoft Windows Server Update Services
  

They have also started releasing some very good hardening guides:

• Windows XP Security Guide
• Windows Vista Security Guide
• Microsoft Office 2007 Security Guide
• Windows Server 2003 Security Guide
• Windows Server 2008 Security Guide
• Microsoft Exchange Server 2003 Security Hardening Guide
• Microsoft Exchange Server 2003 Message Security Guide
• Microsoft Operations Manager 2005 Security Guide
• Microsoft Operations Manager 2007 Security Guide

Microsoft has also started it's own line of security products, with:

• Microsoft Forefront - Client / Server / Edge - security (Antivirus)
• Microsoft Antigen - E-Mail (Exchange or SMTP gateway) Antivirus / Antispam, Sharepoint security
• Microsoft One LiveCare - Antivirus /Antispyware
• ISA - Internet Security and Acceleration Server
  

Internet explorer vs. Firefox shows it's not that peachy "on the other side" either. And the response time from both is fair.



What about the whole "open source" - many eyes concept? Doesn't this mean Microsoft is horribly insecure? What about 3rd party code reviews?

That whole concept is highly overrated. 99% of open source users never seen a line of code in their lives. Simple as that. Just because you can install Ubuntu doesn't make you a kernel developer. Don't get me wrong, I love Open Source software, I'm just not rushing to make any claims about how the opens source development model adds security (remember, you can have a whole lot more malicious people look at the code then developers).

Anyway, Enterprise customers can still get access to Windows and other Microsoft sources through various Shared Source programs:

•Enterprise Source Licensing Program (ESLP)

"The ESLP allows eligible enterprise customers access to Microsoft Windows source code for internal development and support purposes, including debugging. This enables customers to develop and support their internally deployed applications and solutions that run on Windows."

Exploit development frameworks and platforms - Metasploit, MSF-XB

Metasploit:

The Metasploit Project is an open source computer security project aids penetration testing activities and IDS signature development and provides information on security vulnerabilities.



Components:

• The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language (rewritten from Perl) and includes components written in C and ASM. The Metasploit Framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.
• The Shellcode Archive contains various payloads written by the Metasploit staff. Has Windows Shellcode Development Kit.
• The Opcode Database contains the position of certain machine language opcodes in the attacked program or included DLLs
  

MSF-eXploit Builder

• MSF-eXploit Builder (MSF-XB) is free Windows GUI and Exploit Development PlatformMetasploit Framework exploit modules. It will help you to edit/modify/create/test exploit modules for the Metasploit Framework. It also contains an assortment of Fuzzers (TAOF, ProxyFuzz, FileFuzz, WinFuzz) and various other tools (Branchseeker, Faultmon, mycrc, nc, Findjmp2 and even pstools). It requires an installed Metasploit framework and a debugger (try Immunity Debugger).

SecurityForest Exploitation Framework:

• SecurityForest's Exploitation Framework is similar in concept to Metasploit, and is written in Perl. The major difference is that it leverages the massive amount of exploits available in the ExploitTree. These exploits are publically available and do not have to be re-written to be used in the framework (no matter what language and sometimes no matter what OS). It basically acts as a Graphical User Interface to the ExploitTree which is dynamically updated at the same time as the ExploitTree.

E-mail exploitation frameworks:

• PIRANA is an exploitation framework that tests the security of a E-mail content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA's goal is to test whether or not any vulnerability exists on the content filtering platform. This tool uses the shellcode generator from the Metasploit framework!

Browser Exploitation Framework:

• BeEF is the browser exploitation framework used to demonstrate the real-time impact of XSS browser vulnerabilities. Download here.
• Nikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Network Vulnerability Scanners

• Nessus is a comprehensive vulnerability scanning program. Its goal is to detect potential or confirmed weaknesses on the tested machines.
• FwTest is a firewall testing tool.

Online vulnerability databases:

• Secunia provides security advisories and information about patches, and provides software for vulnerability management.
• Milw0rm is an exploit database separated by exploit type.
  

Immunity Debugger - an exploit development debugger

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility. It is similar to OllyDbg in functionality and interface.

Immunity Debugger is said to cut exploit development times in half and has a powerful scripting language and connectivity to fuzzers and exploit development tools.

SANS TOP-20 Security Risks for 2007

SANS Institute TOP-20 Security Risks - 2007 Annual Update

We have seen significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, in office software, in media players and in other desktop applications. These vulnerabilities are being discovered on multiple operating systems and are being massively exploited in the wild, often to drive recruitment for botnets.



Executive summary:

"Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year."

Advanced malware analysis and forensics using virtualization and free tools

Here are a few quick steps for performing malware analysis on various badware (viruses, works, trojans, rootkits) that you may find in the course of a computer forensics investigation. In this case, I'm analyzing a variant of Sohanad, a Instant Messaging Worm, also known as "the cool pics worm".

Tools of the trade:

• Virtualization
• VirtualBox - it's free, open source and multi-platform (Windows, Linux).
• VMware Server (Linux, Windows), free
  
• qemu - available on multiple platforms (Windows, Linux, BSD, UNIX), free, open source
  
• Microsoft VirtualServer / VirtualPC
  
• File analysis
• File Analyzer
• PE Explorer
• PEiD detects most common packers, cryptors and PE compilers (over 470 signatures).
  
• Debuggers, disassemblers
  
• OllyDBG
• Ida Pro Freeware
• Immunity Debugger
  
• Hex Editors
• WinHEX
• HackMan
  
• File Alteration Monitors
• Sysinternals ProcMon, FileMon, RegMon, Process Explorer
  
• Network Monitors
• Wireshark (aka Ethereal)
• Windows Network Monitor
  
• Rootkit revealers, startup listers
• Sysinternals Autoruns, RootkitRevealer
  
• HiJack This
• Tools
• GnuWin32 Tools like file(1)
• UPX - a file packer / unpacker.
• Antivirus
• Virustotal - Analyzes uploaded files using over 33 Anti-Virus engines.
• Virus.org - Scans uploaded files with over 20 Anti-Virus engines (some differ from virustotal). It's interesting to see how many Antivirus products fail to spot a virus.
  
• Viruslist - Information about Viruses
• VirusPool - Malware Research Database
• Documentation
• PECOFF - Microsoft Portable Executable and Common Object File Format Specification
  

Initial configuration of the workbench:

We're going to setup VirtualBox (or any other virtualization product) with a copy of Windows XP SP2, update it and take a snapshot so we can easily move back to a clean system.

• Use VirtualBox to install WindowsXP SP2 in a Virtual Machine.

• Take a snapshot of the Virtual Machine - Initial Install.

• Install VirtualBox Guest Additions

• Install Microsoft Update and update the system.
• Create an ISO image of your tools, and mount it inside the Virtual Machine.
• Take another snapshot of the Virtual machine - Updated and configured.
• Add your tools to PATH to speed things UP.

Analyze the malware:

• Use Process Explorer, Sysinternals Autoruns, RootKitRevealer, HiJackThis and so on to find running processes and targets for analysis, then put them in the virtual machine "sandbox". Also, make sure you check the Digital Signature for files you may suspect of being malware (Right Click - Properties - Digital Signatures). A good way of revealing malware is looking for suspicious entries in Sysinternals Autoruns (just hide signed Microsoft Entries, then look for Unsigned or Fake signature entries). Remember though, malware can also be digitally self-signed.

• The Target: "New Folder.exe" - self described as "Worm2007" by "IT University".

• Determine file type using "magic": file "New Folder.exe", PeID and File Analyzer to get headers info.
  

• Use "strings" to parse the file for Unicode and ASCII strings: strings -n 8 "New Folder.exe"
  

• Use "head " to see the first few lines of the file: head -5 "New Folder.exe" - We can already see this file is packed using UPX. upx -l "New Folder.exe" confirms this.

• Uncompress the file: upx -d "New Folder.exe"

• Parse the file again with "file" and "strings" - this time we can see a lot more information.

• Use PE Explorer and "File Analyzer" to get even more information about PE Headers, dependencies and so on.

• Fire up OllyDbg, IDA Pro Freeware, Immunity Debugger, WinDBG or your favourite debugger / disassembler and analyze the file.

• Start Sysinternals ProcExp (Process Explorer - taskman on steroids), ProcMon (filemon and regmon combined), handle (check file handles) and TCPView and Wireshark (aka Ethereal) or MS Network Monitor, and run the piece of malware! We're going to see exactly what files and registry items it tries to change, what network connections it opens and what kind of network traffic it generates. We can also use "netstat -abn" to list network connections. We can later just restore the VirtualBox snapshot to get back to an untainted system.

• We restart the machine to allow the malware to apply it's group policies and registry changes / autoruns properly :-). We can see the effect of the applied group policies (disables regedit and taskman, but forgets about gpedit.msc and tasklist for example).

• We use Sysinternals Autoruns, RootKit Revealer and HiJack this to see how this piece of malware starts. With Sysinternals Autoruns we simply hide signed microsoft entries, and we can see 3rd party products, such as our piece of badware, hiding in lsass or svchost or ymessenger named entries.

• We use HiJack This to list changes to our system like disabling regedit, starting a really strange "svchost32.exe" that shouldn't be there and making the IE default webpage "thec**lpics.com" -> don't access it, it's the Malware's homepage…
  

O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\svchost32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

To remove the malware, you just need to reverse all the chances it has performed to the registry and filesystem. Once you've written down the location of the files from ProcMon and the running binaries from ProcExp, you can start by stopping the virus:

You can stop the Virus processes easily with Process Explorer, or you could just use "taskkill":

taskkill /F /IM svchost32.exe /T

You could also disable it from running at startup by removing it using Sysinternals Autoruns.

Once you've identified all the processes and what executables they were running from, just use WinDiff, EasyDuplicateFinder or something similar to find all identical binaries, and remove them.

You can the use "Fixed Checked" in HiJack this, and "reg add" or "reg delete", a .reg file or gpedit.msc to manually enable the Registry Editor or other disabled features in Windows. You could also use an offline Registry Editor. Example:

reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /v "DisableTaskMgr"
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools"
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools"
reg add "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Window Title" /d ""
reg add "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.msn.com"

To restore the missing files the malware removed (like msconfig.exe) just pop in the Windows cd, and use "expand" to uncompress and restore them: EXPAND -R D:\I386\MSCONFIG.EX_ c:\Windows\System32. Windows may also keep some copies of msconfig.exe around, but they may or may not be safe. Check the digital signature.