Sourcefire Case Study:
Zotob: Making the Case for True Intrusion Prevention THE TRUE THREAT OF ZOTOB The Zotob worm provides a clear example of the consistently shrinking window of time between the announcement of a new vulnerability and the subsequent emergence of a threat intended to exploit the associated weakness. One obvious implication of this disturbing trend is the inability to rely all that heavily on conventional patching processes as a threat mitigation technique. Fortunately, this is where intrusion prevention systems can play an instrumental role, providing ‘virtual patching’ capabilities by preventing threat-related traffic from reaching susceptible hosts. Zotob also demonstrated, however, that first-generation intrusion prevention sensors are not always sufficient. At best, they can only prevent what they can see - threat traffic that passes through their specific location on the network. Ultimately what is needed instead is a more holistic approach that provides true intrusion prevention – one that goes well beyond basic threat detection, combining endpoint, threat, and network intelligence to defend networks against all threats, from all vectors, all of the time. In other words, what is needed is the Sourcefire 3D System.
STAYING AHEAD OF THREATS To be clear, the starting point for any effective intrusion prevention strategy is in fact an inline intrusion prevention sensor. Of course, in the case of near-zero-day threats such as Zotob, the effectiveness of this component depends not only the accuracy but also the timely availability of associated detection algorithms and signatures. In this regard, Sourcefire’s Vulnerability Research Team (VRT) is an invaluable resource. The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts, and vulnerabilities. Their diligent efforts often enable Sourcefire to provide its customers with coverage well in advance of an actual threat. For example, when the team learned of the Microsoft Plug-andPlay vulnerability, the potential for devastating attacks was immediately apparent. Within days they generated and released new VRT Certified Snort® rules to detect attempts to exploit this weakness. As a result, when Zotob emerged two days later, Sourcefire customers were already protected! The key point is that by focusing on the characteristics of the underlying vulnerability, Sourcefire was able to provide protection prior to an actual threat being released. Equally important however is that this protection extended even as variants of Zotob were spawned in the days to come – without the need for any further updates. This powerful capability is due to the robustness of the Snort rules language, which enables the forward-thinking VRT to generate compound rules capable of stopping both the original threat and its inevitable progeny.
COVERING YOUR OTHER BASES While an intrusion prevention sensor is an appropriate starting point, it does not itself constitute true intrusion prevention. Once again, Zotob clearly demonstrated this point. Post-attack analysis in many organizations indicated that it was spread by mobile users plugging infected laptops into the corporate LAN. In such situation, a mere handful of intrusion prevention sensors – typically deployed at Internet boundaries – will never be truly effective. It is simply too easy for the worm traffic to bypass them.
• Identification of vulnerable hosts. This is accomplished using a combination of passive, always-on inspection techniques and targeted, active scanning that is available in an on-demand manner. Obtained information can be used both before and after the emergence of an attack to facilitate remediation as well as to tune intrusion control sensors, making them more efficient and less prone to false positives. • Identification of abnormal activity. Atypical traffic patterns always deserve further investigate and may in fact be indicative of a previously unknown (e.g., day-zero) or otherwise undetected attack. • Characterization of new attacks (e.g., by VRT). This supports the generation of new, highly effective detection rules. In addition to rules for the Sourcefire Intrusion Sensor, this includes rules that RNA itself can use to subsequently identify potentially infected machines. Indeed, with Zotob, as with previous threats (e.g., Sasser), as part of its customer advisories Sourcefire included guidance on how to use RNA and the Sourcefire 3D Policy & Response engine to detect infected hosts.
Overall, RNA’s unique combination of attack detection, always-on passive discovery, targeted active scanning, behavioral profiling, and vulnerability analysis delivers the most comprehensive view of the security events occurring on your network – an essential foundation for effective network defense.
THE SNORT COMMUNITY – A FORCE MULTIPLIER As the creators of Snort, Sourcefire’s intrusion prevention sensor conveys even further advantages. With greater than 2 million downloads and over 100,000 active users, Snort is the undisputed, most widely used intrusion control product on the market. This highly engaged community of users is an unmatched resource in the industry, providing VRT with early warnings of actual events in the wild, generating prototype rules, and supplying immediate feedback and refinements to new rules created by Sourcefire and others. Effectively, it’s like having a 100,000-person development and technical support team!
SOURCEFIRE IN ACTION: A TIMELINE OF THE ZOTOB WORM • August 9, 2005 – Microsoft announces multiple vulnerabilities and releases corresponding patches, including a critical one for the Windows Plug-andPlay service [MS05-039]. • August 12, 2005 – Sourcefire VRT responds, issuing an advisory and releasing a number of rules to detect all attempted exploits against the PnP vulnerability. These are identified as sids 3828 through 4125, and include sid 3999, which triggers on the Zotob worm. • August 14, 2005 – The Zotob worm is identified in the wild.
• August 15, 2005 – After extensive analysis of the worm, Sourcefire notifies customers that the necessary rules were already in place to detect Zotob activity. • August 17, 2005 – Multiple variants of Zotob have emerged by this date, and the VRT have verified that all have been successfully covered by the original Snort rules released on August 12th. In addition, several other threats using the PnP vulnerability have also emerged and are also covered (i.e., one Rbot, one Sdbot, one CodBot, three IRCbots, and two Bozori variants). • August 19, 2005 – Sourcefire published instructions on how to leverage the power of RNA and the 3D Policy & Response engine for further Zotob detection.
SUMMARY Zotob, while not terribly significant in terms of its aggregate impact, nonetheless provides insight both into the nature of threats to come as well as into very real shortcomings with various attack mitigation techniques and technologies. Most notable among these are first-generation intrusion prevention products, and in particular those which rely all too heavily on the presence of well positioned and maintained intrusion prevention devices. In contrast, the Sourcefire 3D System provides next-generation true intrusion prevention, incorporating essential, complementary RNA technology to more effectively prevent all threats, from all vectors, all of the time – providing protection before, during, and after an attack.
ZOTOB TECHNICAL DETAILS A programming error in the Plug-and-Play (PnP) service used by Microsoft Windows machines can present a remote attacker with the opportunity to overflow a fixed-length buffer, execute code on the vulnerable system, and escalate privileges on the host to the extent that complete control of the affected machine can be gained. Zotob makes use of this PnP vulnerability (MS05-039) to propagate. The worm uses exploit code that targets the weakness via port 445. Upon successful exploitation, it then uses ftp to transfer data from the infecting machine. The newly infected machine then becomes an ftp server itself and begins scanning for other hosts to infect.
©2009 Sourcefire, Inc. All rights reserved. SOURCEFIRE®, SNORT®, the Sourcefire logo, the Snort and Pig logo, SOURCEFIRE 3D®, SOURCEFIRE RNA®, CLAMAV®, SECURITY FOR THE REAL WORLD™, SOURCEFIRE DEFENSE CENTER™, SOURCEFIRE RUA™, DAEMONLOGGER™, SOURCEFIRE SOLUTIONS NETWORK™, and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.
03.09 | REV 1A