Malware Freakshow 2010 – My egress distress

Yesterday, on Day 1 of Black Hat 2010, I attended an excellent discussion by two forensics experts. Their talk covered four incidents they investigated.  The method the criminals used to break-in ranged from incredibly trivial tPhishing-identity-theft1o very clever.  While the mechanics of the malware were very intriguing, one piece stood out — the malicious software used FTP or SMTP (email)  to send the captured credit card information to the  criminal.  Yes, that's right, the malware used default Internet access to transfer the "goods." 

The speakers even made a point of stating that no one is restricting outbound access.  It's a default privilege for employees and criminals take advantage of this excessive right.  

Techs – This is all about egress filtering, or blocking what is allowed to access the Internet.  I'm not talking about full and total lock down here, but your servers should not be able to access the Internet.  Your PC should not be able to establish SMTP connections to external hosts.  URL Filtering / Proxying is also a critical step for limiting what goes out, but that's a different post.   

Execs – Planned properly, your IT team can significantly restrict outbound (egress) access to the Internet without interrupting business operations.  Making Internet access a convenience for all means it's also convenient for malicious software that will make it onto your network.

Egress filtering won't prevent malware from infecting your systems.  And smart malware will use something like HTTP or HTTPS to communicate with the bad guys.  What egress filtering can do, however, is let you know when something is trying to get out using a method that is not allowed.  This decreases the time it takes for you to investigate, and ultimately limits how much damage the malware does.

Cheers!  Simon

Leave a Reply

Your email address will not be published. Required fields are marked *