Critical System Protection

 View Only
Back to Library

Combined Protection against w32.Ramnit!.html : DCS:SA and SEP 

Feb 04, 2016 12:35 PM

Real Use Case:

An Apache Web Server was compromised and the following folders were used to store malware code.

                                                /home/XXX/public_html/XXXX/

                                               /home/XXX/public_html/media/XXX/

The primary web page was modified to something similar to a Hacktivism  attack  ...

But... there's something else behind that.. the hacker included a VB-Script that will drop a file  and infect the computer. The script is similar to :

<SCRIPT Language=VBScript><!--

DropFileName = "[Well Known Generic Host Process.exe]"

WriteData = "4D5A9000030000…" and more HEX code and instructions ....

....

Set WSHshell = CreateObject("WScript.Shell")

WSHshell.Run DropPath, 0

//--></SCRIPT>

Then, every user that visited that URL potentially finished infected , a real example of Drive-By exploits.

Protection for your Endpoint 

With Symantec Endpoint Protection 12.1.6 client computers that tried to visit that infected Web Server received a Warning about an ongoing Block process, the source: SEP Network Threat Protection (specifically the IPS feature).

The signature was associated with Web Attack: W32.Ramnit Attack 4  , and that was only using the defaults values and an updated SEP platform, the malware didn't downloaded to the system and SEP identified the threat as w32.Ramnit!.html

Lesson Learned: Do not install just an antivirus on your computers!, you need proactive protection, Symantec Endpoint Protection 12.1.6 will do the job for you.

Protection for your Unix/Apache Server

Don't forget your Apache Server !

Think about Hardening with Symantec Data Center Security: Server Advanced (SDCS:SA) !

If you already have SDCS:SA 6.5.x or Symantec Critical System Protection 5.2.9,, apply and customize the UNIX Protection Prevention Policy in order to minimize risk .

Avoid Shellshock , you will find useful information with the following  article : Protect Your Servers from the Shellshock Vulnerability with Data Center Security: Server Advanced 

Also you can use a Detection policy in order to monitor changes to the index default page and receive an email notification that someone modified the content.

If you are thinking about buying the solution , then DCS:SA v 6.6 is the right option for you , check SDCS:ServerAdvancedApachePHP PreventionPolicyQuick StartGuide where you will find Apache Protection Policies details like:

- Configuring the policy 

- Securing files and folders 

- Securing system processes

- Securing the network

- Additional hardening steps 

 

Rodrigo Calvo

Sr. Security Engineer 

infoLock Technologies

https://twitter.com/infolocktech

 

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.