Quicktime exploit, infection, and NSM

I've recently seen malware activity that will grab data from HTTP POST requests and send the data to a web server. Reliable signatures for this malware have been part of the Bleeding rules for many months.

I would hope that up-to-date anti-virus will catch this. There is really no excuse for missing it, but it certainly doesn't have to be the only malicious result of the successful exploit attempts. It's always a good idea to remember that whatever method was used to compromise a system could have been used to do more than what is easily observable.

Using network security monitoring (NSM), I've worked backwards from the first check-in to find the infection method was the latest Quicktime exploits. Specifically, I've seen malicious QTL files in web traffic prior to the infection symptoms. I'm actually not positive that the most recent vulnerabilities are being exploited rather than one of the numerous older Quicktime vulnerabilities, but the timing of the activity suggests the more recent.

Even with a reliable IDS signature, you still have to ask whether it is worth risking the loss of data that is in POST requests. I think it's not worth risking, particularly if there is a common external web server that can be blocked to prevent the data extrusion.

There are a few ways to block data in a case like this. An inline IDS is one, but may not catch all outbound data. In this case, the signatures have an extremely low risk of blocking non-malicious traffic, but that doesn't mean they'll catch all the malicious traffic either. The signatures will accurately point out any infected systems even if configured to drop the traffic.

Blocking the IP address at a firewall would work well to prevent data loss, but has two main drawbacks. First, you won't detect infected systems with your IDS, at least not based on current signatures. The TCP handshake won't even be completed, let alone the GET request that triggers the alert. Second, but much less problematic, is that you could be blocking many websites on that particular IP address. I say less problematic because it may be the case that one compromised virtual host on an IP address means you should treat the server as completely compromised, so it is best to block the IP rather than just a FQDN.

Another way to block the server that is receiving the stolen POST data is with an appliance or software for filtering web traffic. The advantage here is that connection attempts may still generate IDS alerts even though the connection actually stops at the web filter rather than the external server. You can potentially block all the traffic while still generating IDS alerts to detect infected systems, depending on your web filter.

If blocking connections to a web server that is known as a check-in location, NSM is very useful. Put together a script or database query that looks at your session data for repeated connection attempts to the blocked site and you'll find out if you have any systems that may be infected and trying to check-in. Session data will show each connection attempt even though there will be no responses.

Tweet