There’s a story on Threatpost about a long-standing spear-phishing operation aimed at defense contractors.
Here’s what happens when a user gets infected through a zero-day Adobe Reader vulnerability*:
Once the malware is resident on an infected machine, it will reach out to a remote C&C server and deliver some information about the machine that it’s on, including the OS level and some custom identifiers that serve as the authentication method for the new client to the server. The malware then can download new files from the server, upload files to it and execute commands issued by the C&C machine.
(C&C = command and control)
Now having a user machine infected with a Trojan is certainly a bad thing. But a good set of firewall policies could mitigate the risk. Normally people think of a firewall as blocking bad traffic from coming into your network, but they should also block bad traffic from your network from going out or spreading internally.
I emphasize should, because it is all too common to have no blocking rules set on internal networks.
With proper internal rules in place any unknown port should be shut off, so if this Trojan communicates on some specific, random port, the firewall would disallow those packets. Of course, the malware authors are savvy enough to put out stuff that works over HTTP and HTTPS nowadays, and you probably aren’t blocking port 80 or 443. So what are we to do to keep our compromised system from reaching out to the enemy?
Two options come to mind immediately:
- Whitelists on the firewall
- Behavior-based rules
Whitelists are annoying to end users, since you are basically setting a list of websites they are allowed to go to. You’d likely have numerous requests to allow sites that didn’t make the initial list. However, this is the most secure way to prevent malware from communicating out from your network.
You can do a blacklist instead, but then you would rely on your ability to detect the infection soon after it occurred and add the offending C&C server address to your blacklist.
Behavior-based rules are available in some firewall appliances and intrusion detection systems (IDS). By inspecting the packet traffic between client and server, systems are able to flag or block potentially harmful behavior. It’s imperfect, but it can help.
*speaking of Adobe Reader…please don’t install it if alternatives are viable. There are a lot of PDF readers out there, and none are targeted the way Adobe is for vulnerabilities. They are generally simpler as well, reducing the program’s attack surface at the expense of extra features.