Bit9

Check out this new video on YouTube by Brian Heffernan, Bit9 Systems Engineer. He demonstrates how Bit9 Parity Application Whitelisting can be used to stop the "new" DLL hijacking attacks - similar to how Bit9 Parity stops an Advanced Persistent Threat attack.

The Zero-Days Of Summer

Summer is coming to a close and yet another “zero-day” exploit is being reported (See here and  here). It's not really a "zero-day", as it has been known for a long time; it’s more a design “quirk” or flaw in Windows, but the media likes to say zero-day, so I’ll oblige.

This one is going by the names “Binary Planting”, “DLL load hijacking”, and “DLL preloading”. According to ACROS Security, this vulnerability impacts around 200 widely used Windows applications, many of them from Microsoft. Another day, another zero-day, and the anti-malware vendors and Microsoft are forced to react, update malware signatures, and provide security updates.

This one is a little more pernicious because it involves behavior that many applications rely upon. Microsoft does not have a simple patch for this problem. Rather, they have introduced an update that allows you to create registry entries that may thwart such attacks but requires some pretty heavy lifting (i.e. forethought on the part of the system administrator to use properly). What a pain.

What is interesting is that this zero-day, almost by definition, is exactly the type of attack that whitelisting mitigates. We at Bit9 are not changing a thing in reaction to this latest vulnerability because Parity already stops it.

Let's break it down in simple terms. Most Windows applications contain or rely upon dozens of independent files. These files are dynamically loaded when the application runs – hence the term Dynamic-Link Library (DLL). (Note: Acros Security claims the vulnerability can also impact EXE and COM files, but the principle behind the vulnerability is the same.) When a Windows application loads a DLL file, if it doesn’t specify a full path to that file, Windows will search a predefined set of locations. This allows programs to use shared files in the Windows System folder or anywhere in your PATH environment variable, for example, without any heavy lifting. The application simply needs to specify the filename.

If an attacker can place a file with the same name at a search location before the legitimate version of that file, they can get their code to run – with all the elevated privileges that your application has. Essentially, this solves the second of the two key problems that an attacker must overcome: the first is that they must get their program onto your system; the second is they must find a way to launch that code, ideally bypassing any privilege restrictions. As a bonus, they get a level of stealth because you won’t see any “strange” processes running, and if you were to look at the names of the libraries loaded in memory, you likely won’t see anything suspicious.

(Note: The attacker still needs to get their file onto your system at the right location, or trick you into opening a document from a remote location where their malicious library is present. Therefore, it is likely that an effective use of this vulnerability will still involve using other exploits or social engineering as part of the attack.)

This entire problem is non-existent if you are using an advanced whitelisting solution like Parity. Parity only allows files that are approved to load; it doesn’t matter whether they are in the Windows search path or even in the same folder as a legitimate application. It’s really very simple -- even if the application (or executable) is approved, if it tries to load an unknown or unapproved library, it will be stopped.

This exploit is also a great case study on the limitations of blacklisting. Since the attack can take the form of any known filename in any possible location, there is no malware “signature” that can be used to stop it globally. Only once an instance of such an attack is discovered can a signature be reactively made. Anti-malware technologies may be able to stop some of the vectors by which the file is placed, but unless the file is known bad, its simple existence in an unexpected location is not a good enough trait to build a blacklist signature.

It's also worth noting that other reactive technologies, such as HIPS, would be equally ineffective at stopping this type of attack. A HIPS product looks for suspicious or bad network activity. So, by definition, the malware would already have to be loaded into memory and running before HIPS would be able to detect anything. Moreover, most modern attacks remain stealth, dormant or avoid suspicious network activity. They can do a lot of damage without triggering any HIPS-detectable behavior. Lastly, like anti-malware, HIPS technology is only as good as its latest rules, which need to be updated continually in response to known bad activity, bad IP addresses, etc.

If you’re waiting for your AV or HIPS vendor to fully protect you from this one, good luck.

There are still a few days left in summer. We’ll wait and see what zero-days are lurking in the shadows. But while the blacklisting vendors keep chasing their tails reacting to each new exploit, I’m thinking I might sneak in a few more days at the beach.

In my last post, I graphed the introduction of software onto a new system.  In this post, I'll graph the risk that that software poses to an environment.

By introducing an unapproved application, end users seldom realize the risk that change could have to the network.  For example, a single user introducing an alternate web browser onto their computer might have a risk profile that looks like the graph below.  By itself, a single application on a single computer does not pose a huge threat to the network (unless of course that application is malicious in nature, but we will assume for now it is not).

(You can download a larger version here:  http://bit.ly/aXBFnE )

Over time, there may be patches or updates that need to be applied to the application, and because the end user is likely the only one who knows about this application, it is up to them to be responsible for applying these patches or updates.  In an attempt to address the lack of central patching and upgrading, many products now come with self-updating functionality that will either check at runtime or on a set schedule for these files.  Unfortunately, most end users are neither aware of the importance or the urgency with which some of these patches need to be applied.  Therefore, updates get postponed, versions get skipped, and vulnerable applications grow within the network.

Now the graph will move up the risk scale a bit because there is little control over this unknown web browser and there is a level of uncertainty about its patch level.  Depending upon the application that has been installed, the responsiveness of the publisher, and the timeliness of the patches can also bump up the risk level.  For example, Secunia reports that Firefox, a very common alternate browser, had to release patches for 115 vulnerabilities in 2008 (source:  http://bit.ly/cFAA4z ).  Comparatively, Internet Explorer, which IT has a fairly good grasp over patching, suffered from 31 in 2008.

(You can download a larger version here:  http://bit.ly/biXqpK )

This issue is only compounded by the fact that not only will users install an alternate web browser, but also install games, toolbars, media players, peer-to-peer tools, and a plethora of other programs either intentionally or unintentionally.

This final graph shows the compound level of risk that multiple machines introduce when they all have unwanted programs added to them.  It is very easy to see why unauthorized software is almost more of a concern these days than malicious software.

(You can download a larger version here:  http://bit.ly/ddF79Q )

All of these programs expose an organization to increased support costs as unwanted programs conflict with business-related applications, increase re-imaging costs as the easiest and most effective way to eliminate this software from an end user’s computer is to start from scratch, and increases the risk that a computer will be compromised with an attack on a vulnerable application.

Coupled with strong written policies, it is understandable why many organizations are turning towards methods that can apply tighter control around what software end users are able to introduce onto their systems.  Without a reasonable mechanism for attempting to inventory and patch unauthorized software, the best approach for IT is to prevent the introduction of these applications in the first place.

At Bit9, we talk with customers and prospects every day about the risk that unauthorized software introduces into an environment.  Some IT folks have a difficult time presenting to senior management what the actual threat to the environment is of users introducing programs like iTunes, Firefox, or Skype. They are so commonplace that we start to get the impression that they are benign!

I've put together some charts, that could be incorporated into a presentation, to help convey the message that any unmanaged application, especially if IT is unaware that it exists within the environment, is an exposure that should be addressed.

(You can download a larger version here:  http://bit.ly/8YxzqJ )

This graph illustrates the typical introduction of new software onto a freshly imaged system.  The bane to any of us who have ever spent days or weeks creating a pristine base image!  I think the important thing to note is that much of the "software pull" that happens over the lifetime of the computer, happens relatively early.  Within hours or days of a user being issued a system, they have re-introduced their favorite chat programs, music players, screen savers, and more.  Once the user is satisfied with the state of the software, then over the coming months and years, you have blips of software packages getting installed, or a package upgrading to a newer version.

Once new unknown software has been introduced, the attack surface of that system goes up significantly.  My next post will discuss this further.

This morning, Bit9 announced the launch of Bit9 Parity Suite 6.0 - the latest version of our award-winning application whitelisting solution. Bit9 Parity Suite 6.0 provides advanced threat protection against targeted and zero-day attacks.

As evidenced in the recent Operation Aurora attacks, the threats companies face now are much more organized, deliberate, and covert than seen in past years. With the evolving threat environment, there is no choice but to change a company's approach to security. We believe that Application Whitelisting is a central part of the answer, the "foundational" layer of the security pyramid as Gartner explains it.

In our recent Bit9 Unauthorized Threat Report, we found that 99 percent of polled companies noted that antivirus was running on their computers, but 46 percent noticed malicious software had passed through that antivirus security layer. These weaknesses are being targeted explicitly by cybercriminals in hopes of attaining companies' confidential information through the holes left open by antivirus.

The most evident problems that customers have identified as putting their business and government environments at risk are the lack of properly enforced IT policies and the inadequate management and protection of systems. To address these problems, new features found in Bit9 Parity Suite 6.0 include:

File Integrity Monitoring - Bit9 Parity 6.0 continuously monitors, controls and reports on all changes that occur to help prevent malware from making unauthorized changes to sensitive files. Bit9's FIM capabilities provide PCI DSS compliance.

Registry Protection - Bit9 Parity 6.0 comes with out-of-box policies to secure high risk and targeted registry objects. Bit9 protects specific registry objects from unauthorized and malicious changes and helps demonstrate compliance.

Operating System Integrity - Bit9 provides operating system tamper protection, which prevents malicious hackers from harming the OS.

Threat Identification - Using the Bit9 Global Software Registry^TM, the largest repository of software intelligence, Bit9 provides a live software inventory of all software on organizations' endpoints at any given time. Bit9 provides a Trust Factor on all software and identifies all malware attempting to execute including the Advanced Persistent Threat. Bit9's live reports provide IT professionals with the ability to demonstrate when an advanced attack bypasses antivirus and is stopped by Application Whitelisting.

To learn more about Bit9 Parity Suite 6.0, visit our website here. Or if you want a free trial, sign up here.

Why is it that existing security software didn't stop Operation Aurora cyber attacks from using the Microsoft IE zero-day vulnerability to hack into multiple high-profile technology providers? Is it that this level of malware sophistication has never been seen before?

Dennis Blair, the US Cyber Chief, testified today before Congress and called these attacks "Cyber Pearl Harbor."  Read the story in the New York Times by Mark Mazetti here.

Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication," he said.

As zero-day attacks proliferate, antivirus vendors have begun blocking websites and offering intrusion prevention features aimed at trying to stop malware before it happens and even before it is identified. The problem is development and promotion of new security features often come as a result of cyber attacks like Operation Aurora and the Hydraq Trojan. Organizations and AV vendors appreciate the need for proactive IT security solutions, but if action is taken post-breach, the damage is already done.

Comprehensive layered defenses against cyber threats have been announced as the "new" methodology for preventing zero-day and targeted attacks, but proactive prevention is not new. Application Whitelisting, offered by Bit9 has been around since 2002. And many more companies are beginning to offer it.

Gartner analyst Neil MacDonald just wrote in his blog that:  "whitelisting at the endpoints would have stopped these attacks."

Application Whitelisting delivers malware prevention rather than reaction by establishing a list of known and approved applications, devices and files and halting execution of everything else. We've tailored whitelisting for organizations across all industry verticals - from government and finance to retail and healthcare. So when AV reacts to new attacks with new solutions, keep in mind that it is reaction, not prevention, that distinguishes their approach.

Bit9's annual report on the Top Vulnerable Applications  for 2009 found that Adobe Acrobat, Flash Player, Reader and Shockwave showed high risk for arbitrary code execution, memory corruption and application crashing. Also rated highly vulnerable in NIST's database for 2009 were Apple Quicktime, Mozilla FireFox, Opera, RealPlayer, Sun Java and Trillian.

Microsoft's IE 6 and 7 received an "honorable mention" for a zero-day exploit that went unpatched for a period of time in August.  All applications on the list require end users to manually patch or upgrade the software to eliminate the vulnerability, and are extremely common on PCs at work and home.

Should enterprises use these apps? If it makes sense for the business - of course they should. Most businesses would find it hard not to use Adobe PDF, for instance.  And yet just today, SANS Institute's Internet Storm Center (ISC) reported that they'd received samples of a new rigged PDF document that hijacked PCs using a bug Adobe acknowledged Dec. 14.  See Gregg Keizer's story on it in ComputerWorld today. So if enterprises do in fact use these apps, they need to put some monitoring and controls in place to protect their business.

Enterprise  IT organizations that are not monitoring their endpoints have no reliable way to ensure that the patches for these applications have been properly applied.  We encourage organizations to monitor the applications being used by their end users to make sure first, that they know what is running and second, they know that they have been patched properly. And in the case of this "zero-day" attacks, IT needs to put controls in place to protect against these zero-day attacks in which no patches or fixes exist.

Organizations that take a layered approach can best protect themselves with: visibility across endpoints;  a centralized patch-management process;  and application whitelisting to prevent the use of unauthorized and potentially malicious software.
To read the report, click here

Criminals are getting smarter and more sophisticated, responsible for security breaches in both the public and private sector that put sensitive information in danger.  Just last month it was discovered that cyber spies repeatedly hacked critical design data in the U.S. Joint Strike Fighter project. Brian Krebs of the Washington Post writes about the Facebook and Twitter attacks  here and the Marines have just banned Facebook.

From state and local government to federal defense agencies, the government seems to be constantly under attack.

Standards such as the Federal Information Security Act (FISMA) were put in place to provide U.S. federal agencies and contractors with a uniform set of information systems processes. But compliance, as we have seen with PCI DSS standards, is never enough. Gaining control over the software that runs on government systems is more than a strategic initiative aimed at compliance; it is crucial to protect against zero day and targeted attacks that are getting past traditional, reactive defenses.

Application whitelisting is emerging as a layer to IT security defenses - to monitor and control unauthorized software, as well as to discover and ban certain hashes automatically.  Whether it's rogue software. Unwanted. Common software, but considered vulnerable. Or malicious.

This approach to endpoint security is fundamentally different from existing anti-virus methods that allow all applications to run and detect malware after it has already executed and potentially caused harm to systems. Application whitelisting lets you create an inventory of ‘permitted' software that is allowed to run and allows unknown software to run in a controlled manner - until it's deemed good or bad.  This lets workers use the real-time tools they need to get their job done, and reduces the burden of false-positives on the IT department.

By having greater visibility into what applications are running on their organization's endpoints (PCs, laptops, servers), IT staff is better equipped to enforce the use of authorized applications, maintain compliance with industry standards and prevent the installation or execution of malicious, illegal and unauthorized software that can create vulnerabilities and enable targeted attacks. In fact, the recently released Consensus Audit Guidelines (CAG) prescribes application whitelisting - defining and allowing only trusted software - as a best practice for achieving FISMA compliance. 

A well-managed application environment is also less expensive to operate, saving valuable taxpayer dollars when it matters most.  According to a recent Gartner study, "A locked and well-managed desktop PC can be 42 percent less expensive to maintain than an unmanaged one." 

We're seeing a fundamental shift in the way government operates, and this requires a more sophisticated, better armed approach to IT security. 

This article by Rob Vamosi of CNet came out last week and created a lot of debate on white listing, what it means.  

I'm seeing a few outdated misconceptions, and a couple of points made in the posts that we can help clarify.

Regarding the Bit9 Global Software Registry: -- the Bit9 GSR is used as a look up service
- in the cloud - for enterprises that want to identify unknown applications. It provides reputation ratings for applications, which are classified by hash. This is completely different than an enterprise's white list of good applications that are allowed to execute. The enterprise decides what applications are included on their white list and which ones are acceptable according to company policy.

The Bit9 GSR is extremely helpful as a service for IT, security, audit and compliance professionals who are deploying white listing protection and want to find out what is on their end points. It is an eye opening experience discovering all the applications that are on an enterprise's endpoints. IT professionals often find something and have no idea what it is. Think of the GSR as the Yellow Pages or Consumer Reports for trusted applications.

What's clear is that the blacklist-only approach to IT security is quickly becoming extinct. There's just no way to test, catalog, update, patch and scan our way to protection from malware using antivirus signatures. If there were antivirus signature updates being pushed across enterprise networks every time a virus mutated, the signature files would cause more network slowdowns than the viruses themselves.

The stars are aligned for application whitelisting in the marketplace -- all the big players are talking about it now and analysts are predicting that it is the future.

The new Gartner analyst  research report - "Application Control Market Update," 4 August 2008, by Neil MacDonald and Michael A. Silver - is a great one. To Gartner, the terms "application control" and "application whitelisting" are synonymous.

Copied below are some top quotes from the Gartner Research Note.

• "Organizations are looking to application control solutions to augment signature-based antivirus protection and to exert more control over endpoints."
• "We continue to advise organizations adopting application control solutions that the key to successful tool selection and implementation is the capability to automate the exception management process and to automate list management. Bit9 has delivered significant innovation in this area by enabling organizations to query their "whitelist/blacklist in the cloud" knowledge base as a subscription service (see "Cool Vendors in Infrastructure Protection, 2007")."
• "Application "whitelisting" and "blacklisting" techniques are becoming increasingly useful to supplement shortcomings in antivirus systems. These techniques deliver more flexibility to reduce diversity, improve operations and manage PC configuration than merely locking down desktops."
• "When antivirus agents and patching aren't possible, consider application control and system hardening as alternative security controls for point-of-sale (POS) terminals, supervisory control and data acquisition (SCADA) systems, and other devices that fall under regulatory requirements."
• "Application control solutions address shortcomings in antivirus and other signature-based approaches and provide security and operational benefits."
• "In most cases, application control software (see Figure 1) doesn't replace traditional antivirus and personal firewall offerings. Instead, it acts as an additional layer of protection for endpoints to supplement the increasing ineffectiveness of signature-based antivirus solutions, which can't keep up with the explosion in malware variants and the increases in targeted attacks. Application control solutions are of interest to information security and operations managers, typically for reducing the chances for image corruption, system damage or data loss by end users, rogue applications or malware."

And this whole section:

"Application Control Is a Gentler Form of Lockdown

In addition to security protection, application control solutions provide operational benefits by preventing the arbitrary introduction and execution of unknown code ("lockdown") on endpoints, even for administrators. There are several security and operational reasons that organizations may want to use application control solutions:

• To ensure that unlicensed software isn't being used
• To manage known PC configurations so that enterprise software is easier to deploy and maintain
• To restrict users from running software that could be detrimental to enterprise systems or the network
• To prevent users from adding applications to the organization's application portfolio that will require increased support and cost

Many organizations mistakenly believe that they've accomplished lockdown by removing administrative access from users and designating them as standard users. However, this can cause a number of problems:

• Users who have a real business need to install applications to do their jobs won't have that right, which hampers creativity.
• Client software components that Web sites upgrade on a regular basis (such as Flash, Acrobat Reader and Web conferencing software) cannot be updated, potentially obstructing user access to important business content or causing lost productivity, as users look for workarounds. It's nearly impossible for organizations to have the latest clients packaged for software distribution so that they can be delivered to users as needed, and standard user access does not allow exceptions.
• Contrary to common perception, running users as standard users does not prevent them from installing and running unknown applications. Depending on the level of lockdown, standard users may be able to download and install well-behaved applications that don't require administrative privileges to install or run. Furthermore, without additional restrictions or tools, users are able to load and execute single executables from the network (including via the browser) or removable media. Organizations are also at risk from malware that targets user data and settings, rather than system files.

Application control solutions address these issues and provide organizations with more flexibility and granularity for all users regarding the applications that can and cannot be run. Users can be left running as administrators, allowing them to update client software as needed, including Web applications. Software that's detrimental can be automatically blacklisted, but resources (and/or subscription models) may be needed to keep the list current. Depending on the user, new software can be allowed or blocked by policy. In either case, it is always logged, so that the organization can monitor, at a granular level. what software users are looking to run. Even if users are running as standard users, application control products can plug the gap created by applications that don't require administrator privileges to install and run or single file executables."

As an aside, we are now registering our blog with Technorati.