10 Recommendations for preventing worm outbreaks | Quisitive
Feature Image for Azure Traffic Manager for Developers. Image of a developer sitting at a computer with lines of code across the screen
10 Recommendations for preventing worm outbreaks
January 13, 2013
The US Department of Homeland defense issued a statement on Friday to disable Java. Oracle has just released Java SE 7u11 – an emergency software update.

The US Department of Homeland defense issued a statement on Friday to disable Java. It’s a serious recommendation because many business applications rely on Java.

[Update 1/13/2013 3:43 PM PST]
Oracle has just released Java SE 7u11 – an emergency software update.

The good news is this problem only impacts the very latest versions of Java, so organizations that are behind should be okay. Java installs an auto-updater that nags users to update, so it could be hard to predict how many systems are vulnerable without some type of software inventory tool like Microsoft’s System Center Configuration Manager or Windows Intune.
My guess is many organizations will not disable Java, either because they don’t have the tools to do so, or because they are just going to cross their fingers that they don’t get hit by a worm; perhaps the loss of productivity is greater than the potential impact of a worm. I wouldn’t pause to disable Java because I recently witnessed first-hand how a modern worm can quickly bypass traditional security controls. The result is a complete loss of productivity where users could not access file shares for days.
Consider the typical minimum safeguards that most businesses have in place today:
1. Firewall
2. Antivirus Software
3. Windows Updates

If this is all you have to defend yourself against a modern worm, it is only a matter of time before an employee, vendor or guest brings an infected system onto your network. That is when you will find out that traditional safeguards have not kept pace with the modern worms that are spreading. These worms are being written by state-sponsored organizations.. Not the stereotypical 16-year-old kid looking for attention.  It has always been an arms-race between the virus writers and the security vendors, but lately the bad guys seem to be on top. These are professional teams who sometimes directly target specific users within an organization who have elevated administrative rights on the network. They can also be financially motivated, distributing so-called “ransomware” that holds your data hostage unless you pony up the cash.
The level of sophistication that goes into these worms is astonishing. Consider the multiple attack vectors that these worms can spread through: email, network, USB thumb-drives; virtually any and all methods of propagating. They mutate themselves often to evade detection, then silently send your passwords and private information overseas. They inject themselves into known-good processes to evade detection. They can also spread by exploiting vulnerabilities in the host operating system. But usually they spread by taking advantage of people’s naivety. “But the pop-up said I had a virus on my system and it said to click here to clean it!” Yep.
This requires IT Security policies and procedures to be updated to combat the threat and innovative strategies and tactics to be developed.
I want to make an important distinction between worms/viruses and Malware. Malware infects a single system and does not spread. MalwareBytes is a tool that does a pretty effective job at removing Malware from a single system. But if you have a handful of staff supporting hundreds of users, MalwareBytes is not an effective tool to clean hundreds of systems that are simultaneously infected.

(disclaimer: the following recommendations are for educational purposes only and there is no warranty expressed or implied; use at your own risk).

1. Do not rely on traditional Antivirus alone.

Traditional antivirus engines rely on signatures to detect threats. Lately they have been getting smoked by Malware, Viruses and Worms because they automatically mutate themselves to stay a step ahead of the definition updates.
Zero-day worms are even more sophisticated – they can call home to distributed command center that has an ever-evolving list of domain names so you can’t block a specific static list of IP addresses or domain names at the firewall level.
Therefore, you really need to combine signature-based AV with behavioral-based AV such as SONAR or Bit9. SONAR develops a profile for a process and then determines if it is a threat based on its behavior, eliminating the dependency for virus definitions (but it should be deployed to supplement AV signatures not completely replace them). For example, if a particular process tried to access the system folder and tried to call home, but does not have any running UI. Also, it downloaded more than 15 files the previous day. Any one of these things alone may not be “bad” but taken as a whole, the behavioral profile is bad, and it can then prevent the process from executing. By taking into consider a processes’ communication characteristics, a behavioral based AV solution is much more effective than a signature-based solution alone. This is not a perfect science, as legitimate processes can be quarantined, but in a controlled environment, those processes can be proactively whitelisted.

So do yourself a favor and deploy the latest AV solution possible, with the most locked down configuration that still allows your applications to function. Security has always been a trade-off between productivity and security, but many are predicting 2013 to be the year of the worm, so it is important to be very proactive and not wait until it is too late.

2. Do not give end-users local Administrator rights to their computers

If a virus cannot gain a foothold onto the computer to begin with, then half the battle is already won. In the past, this type of configuration would result in increased helpdesk requests (and increased support costs) because end users had to rely on someone else to install printers and software on their systems.
However, the last three major versions of Windows include a feature called User Account Control (UAC) that allows the user to run under a non-privileged account, and supply credentials only when necessary (a process known as elevation). Many IT departments are quick to disable this feature for fear of complaints from users, and to those departments I say it is time to re-evaluate that decision.

Worms that use Windows vulnerabilities do not require local admin privs to spread, they can perform a privilege escalation to grant themselves administrative rights if the system has not kept up to date with Microsoft updates. Worms like W32.ChangeUP disable the registry key for Windows Update, to prevent the machine from fixing those vulnerabilities.

IT Users with Domain Administrator rights must have a separate username and password that they only use sparingly to perform those duties that require elevated rights. Otherwise, if a worm executes itself on a machine with domain admin rights, say good bye to your network.

3. Patch 3rd party products like Java, Acrobat and Flash

How do you patch 3rd party software today? Windows Server Update Services (WSUS) cannot do it. There are three methods native to Microsoft: Group Policy or Scripting, System Center Configuration Manager or Intune (kind of like a Cloud-based SCCM).
Windows Update alone is not enough to protect your network from worms and viruses. It is now mandatory to patch applications like Adobe Acrobat, Flash and Java.

As evidenced by the DHS Java announcement, viruses and worms are spreading not just by exploiting vulnerabilities in Internet Explorer and Windows, but they are increasingly exploiting Adobe Acrobat and Java.
Windows Intune can be used to effectively deploy software updates to computers. Similar to its big brother System Center Configuration Manager, Intune runs in the cloud so there is no back-end infrastructure to setup or maintain.

4. Disable Auto Run

Many worms spread by attaching themselves to network file shares and placing an Autorun.inf file on the share. When the user opens the folder, Autorun.inf will cause a virus to load, even if the user did not open an executable file directly.
Auto Run can be disabled via Group Policy. There are two policies to update: one for XP and one for Vista/Win7/Win8.

Vista/Win7/Win8 Group Policy Setting:

Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Autoplay Policies.
In the Details pane, double-click Turn off Autoplay.
Reboot client computers.

Windows XP

Computer Configuration, expand Administrative Templates, and then click System.
In the Settings pane, right-click Turn off Autoplay, and then click Properties.
Note In Windows 2000, the policy setting is named Disable Autoplay.
Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
Click OK to close the Turn off Autoplay Properties dialog box.
Restart client computers.

5. Enable Windows Firewall.

This can prevent a worm from scanning and spreading itself on various ports. Windows Firewall could potentially disrupt valid business applications so be sure to test this and any other configuration before deploying in a production environment.

6. Deploy a virus cleaner on computer startup

[Updated 1/18/2013]

The other technique is to deploy a free tool like McAfee’s stinger.exe. This is a stand-alone executable that can remove many of the worms out there.

Put this in the Domain controller’s sysvol\domains\scripts folder because it is shared out as the netlogon folder, and that way clients will download stinger.exe from their nearest domain controller to minimize the impact on the WAN.

REM Begin cleaner.cmd

if exist %userprofile%\stinger.exe goto end
echo not yet
copy \\contoso.com\netlogon\stinger.exe %userprofile%
%userprofile%\stinger –adl –delete –go –silent
REM End of cleaner.cmd

Notice that if stinger exists then it won’t run a 2nd time, that is to prevent this from running more than once because it consumes a lot of CPU (end users might want to be informed that their computers may slow down a bit).

Then create a group policy that references that cmd file. I recommend putting it in the computer startup scripts so that it runs as local system rather than as a user process. Then email the users and tell them to reboot to take effect.

7. Deploy Network Access Protection (NAP)

Network Access Protection (NAP) is really important to deploy on VLANs where your critical line of business systems are located. Imagine the scenario where someone takes their laptop home, and their child unknowingly downloads a virus on the machine while playing an online game. When the adult brings that system back into work, the worm could spread the moment they plug into the network. They could also do the same damage if they connect to the network from home over a VPN connection. By deploying NAP, the system will first have to go through a health check to validate that AV is running, has the latest virus definitions, and has the latest Windows updates. If it passes the checks, then it can be permitted to communicate on the network.
Deploying NAP takes a serious commitment because it may involve re-architecting the network boundaries to accommodate the multiple requirements.

8. Use File Screening on your file servers

[Updated 1/18/2013]

Windows Server 2003 R2 and up has the ability to block .exe files and .inf files from being placed on file shares. This can be an effective technique to prevent worms from placing themselves on file shares.

2008 R2 Instructions:

2003 R2 Instructions:

9. Adopt Defense in Depth

Deploy multiple levels of antivirus and defense.  Select different vendors at each layer of your network. It is a mistake to deploy the same antivirus engine at the gateway or web proxy that you do on your desktops. Otherwise the virus that evades your web filter will also evade your desktop. Not filtering web requests? Your users can unknowingly download viruses into your network by checking their personal email and downloading threats from email attachments that do not go through your hardened email server.
I recommend using OpenDNS (paid) or Dyn.com Security Guide (free) to filter DNS requests from known domains that host spyware and malware.

10. DNS Sync Holing

[Updated 1/18/2013]

DNS sinkholing is an effective technique where you host DNS zones that the worm tries to lookup instead of blocking those IP’s at your firewall. The DNS zone is populated with the IP address of your IDS sensor.  This is similar to a Wifi honeypot or tarpit. This is effective for two reasons:
1. It provides the worm a DNS response, so the worm does not attempt to lookup any other domain names. It thus prevents the worm from calling home and getting a new variant.
2. It provides your IDS sensor the exact IP addresses of the infected hosts so that your incident response team can go and clean those systems. This is more effective than firewall logs because those might only show the last previous hop if the last gateway strips off the original host IP.

How to deploy DNS sinkholing quickly.
Worms can use dozens of DNS zones to call home, so the quickest way to create the zones is to use the DNSCMD command built-into Windows:

Step 1: Create the zones
dnscmd /zoneadd ddnsd.at /DsPrimary
dnscmd /zoneadd noip.at /DsPrimary
dnscmd /zoneadd 3d-game.com /DsPrimary
… (repeat for all zones).. Note: DsPrimary means AD Directory Service integrated, meaning this will replicate to all domain controllers. This allows you to only have to run this on a single DC and it will replicate the zones everywhere. You can later clean these zones up with another dnscmd script.

Step 2: Populate the zones with @ records pointing to your IDS sensor
dnscmd /RecordAdd 3d-game.com @ A (<-change this for your IDS)
(repeat for all zones)


Even if you do all the things recommended in this article, you could still get hit by a zero day worm. Therefore, it is important to review your antivirus logs regularly (daily if possible) or configure email alerts so that you can become aware of outbreaks as soon as possible. Make sure you have your Antivirus vendor contact information and support contract numbers at hand. If your network is compromised, engage your Antivirus vendor early in the process so that you can upload the specific strain of worm that has infected your network. They can tell you which virus definitions are effective for removing the threat. This is especially important if it is a zero day threat, or a threat that mutates daily. Communicate to your end users early so that they know what to avoid clicking on. As part of a Business Continuity Plan, departments should have plans for how their business processes can continue to operate without computers. Develop a communication plan for how IT will communicate with each other and key decision makers and end users if the email system is incapacitated.
There are many things you can do proactively to safeguard your network. Hiring a dedicated Security Engineer with CISSP certification is a great start. Hiring an outside consulting company to give you an objective analysis of your strengths and weaknesses is another good idea, and then having them come back to measure you against this first baseline periodically is also a good idea. Providing security awareness training for your end users is also very important.
I think it is also important to keep a level head and not overreact to every news article about the latest threat. Don’t overwhelm your users with scary emails. Sometimes our response to a problem can create a worse situation than any virus or worm outbreak. Therefore our responses should be carefully measured and tested when possible.

Some worms spread by guessing weak passwords on servers, shares and SQL applications. Most publically traded companies are required to change their passwords frequently and should have strong passwords. Private companies are advised to follow suit as this is a wise practice to adopt.

Why backups are important

If a worm or virus does some damage, you may need to restore from Backup.
Before you restore from backup, develop an Incident Response Procedure to inform users about any potential data loss that could occur as a result of the restore. If possible perform one last backup prior to the restore so that you can selectively restore any valid files that may have been saved by users after the last backup was taken. Do not perform the restore until after the threat has been eliminated from the network, otherwise the restore files could become re-infected – wasting valuable time and frustrating end-users.

Keep calm and carry on.