Malware Prevention - Best Practices

Preventing Malware Infections

Preventing malware on your Web site is easier than you might think. And it doesn't require too much extra time, money, and resources to protect your systems. Following best practices for prevention and using the resources that you already have, you can significantly lessen the chances of having malware on your Web site.

Discuss these tips and guidelines with your developers and server administrators. Find out if and how these best practices are applied in your company. Set administrative and development policies based on these best practices as well as the recommendations of your trusted administrators.

Back up your Web server!

• Perhaps the most significant preventive measure that you can take is actually preparing for the worst case scenario. What do you do when your Web site is infected and you can't just delete the malware? In that case, you want to make sure that you can recover everything that you use to run your Web site.
• Maintain a redundant, up-to-date backup Web server. If your active server is infected, you can switch over to the clean backup server. Your customers will not experience any downtime while you clean the infected server.
• If maintaining a redundant backup is cost- and resource-intensive, make sure that you have backup copies of all operating system and application software, including all patches and maintenance releases.
• Make especially sure that you regularly back up all of the data. If any business or customer data is compromised or damaged, you can restore the data with minimal downtime for specific features – instead of taking your entire Web site offline.

Secure your Web server.

• User access must be secure. Your administrators and developers should use strong passwords, change their passwords regularly, or use access credentials that are handed out by a trusted administrator.
• Follow the "principle of least privileges." Know who has access to your server and make sure that only those who need access have it. Additionally, restrict user privileges person-by-person; give your administrators and developers only the privileges that they need to do their job.
• File transfers must be encrypted. Use Secure FTP (SFTP) or Secure Copy (SCP) tools to transfer the files. FTP tools are not encrypted.
• Practice secure application development. In your back-end code, validate user input type and eliminate security holes (known as "vulnerabilities") such as buffer overflow, SQL injection, and cross-site scripting.
• On your customer-facing Web site, don't give away any information that your customers don't need – the information might be useful for attackers. For example, in error messages, don't show your server type or version or say that "we can't connect to the database". Don't provide specific login errors like "your password is wrong" – this message tells an attacker that an account exists with the username. 

Trust the person at the keyboard.

• Make sure that everyone with access to your Web server understands and recognizes social engineering methods. Social engineering is convincing someone to do something or reveal confidential information, typically by impersonating a person of authority or influence. A saying goes: "it's easier to hack the person than it is to hack the machine".
• Through social engineering, a malware attack starts without even touching your Web server. With just a little information about your company, an attacker can impersonate a company executive or external authority (such as the police or a lawyer) over the phone. If the attacker is convincing enough, the attacker might persuade a junior developer to unknowingly install or link to malware.
• Have confidence in and trust all of the people who have access to your Web server. But regardless of your level of trust, your server should track user logins and all actions while logged in.
• Trust and accountability are key to preventing the most direct threat – an inside job, a deliberate attack by an employee or colleague. Whether driven by personal reasons or coerced by an outsider, this person already has all of the access and privileges needed to put malware on your Web site.
• For any changes to your Web site, have a clear sign-off process. You should also have contingency plans if critical people are not available, so that everyone knows what to do when you or your server administrator can't be reached. 

Use your Web server for one thing and one thing only: running your Web site.

• Do not use the server to browse the Web, check your email, instant message, blog about your vacation, or send your mom photos from last week's family reunion. You have enough to worry about with attackers trying to get in – don't help them out by actively roaming the Internet.
• Remove all unused programs from your Web server. Popular applications sometimes have known vulnerabilities that attackers can easily exploit. If a program is not being used, remove the program so that it is not a potential point of attack.
• If possible, remove software documentation from the server and store it elsewhere. Documentation that includes application names, version numbers, and bug fixes can give attackers insight into what's on the server and how to gain access. 

Patch, patch, patch. Keep your server software, operating systems, and applications up to date.

• Know what software is on your server. Keep a list of all operating system and application software installed on the server, including version numbers.
• Keep all software on the server up to date and running the current versions. Newer versions often include fixes for known vulnerabilities. Vulnerability fixes close the loopholes that the hacker and malware communities know how to exploit.

See Malware Basics and 5 mins guide to Malware

TSIS CBSE nextBatch Starting Soon..!

Admission for academic year 2013-2014 - Kindergarten to Grade 5 starts on 15th of Dec 2012.

A glimpse showing all about it.

TSIS Qatar

School Gallery

SSL Certificate Tester and DNSStuff

Reliable tools for verifying secure connection and tracking DNS & Emails

SSL Certificate Check

Manage, Monitor and Analyze DNS, Email

we are subscribed to these tools for our infrastructural support 

Emails Sent by Users are Stuck in Outbox/Draft Folder

ENVIRONMENT:

• Exchange 2007 with clustered mailbox Server running on Windows 2003 64bit
• 2 HUB & 2 CAS Servers
• SMPT gateway (Ironmail from McAfee)   

SYMPTOM:

Emails sent by users were stuck in Outbox/Drafts folder. We had infact asked some of the users to send 5-10 test emails for a couple of days to study the case. Some emails were also sent using iPhones and blackberry handheld. So the ground fact was  that, not all emails were received by the recipients. 2-3 emails were stuck in the Outlook’s Outbox or Draft folder. This was the case when emails were sent using OWA (outlook web access) as well.

CASE IDENTIFICATION DATA:

We escalated this issue with Microsoft and thru’ analysis of server logs confirmed that “MSExchange Store Driver - 1014” warnings were logged for the users who had faced the issue with emails stuck in the Outbox.

Issues encountered during the test case: 

Restarted the Microsoft Exchange Transport service on both HUB servers. Moved the 3 affected Users’ mailboxes to another mailbox database.

During the mailbox move, the operation was canceled manually, and when the problematic users tried to access their mailbox, they received an error stating that there’s currently a move operation running.

We got this sorted by running Clean-MailboxDatabase for the source and the destination mailbox databases. And moved the CCR CMS to the passive node.

All users including the affected users could access their mailbox normally.

ACTION PLAN:

move one of the affected mailbox to another database

The above plan didn't sort the issue though. 

By investigating the logs further we could find something fishy in Monitoring tool “Quest software” which was installed in your Exchange infrastructure. We also noticed that this monitoring tool can cause the generation of similar symptom that we are facing currently. So in order to isolate the issue, we temporarily disable all the Quest related services in the two Hub Servers and two Mailbox Servers for three days and kept the antennas  monitored for “MSExchange Store Driver - 1014” alert was generated repeatedly.

CAUSE:

A third party “Quest service” was installed in Exchange server which caused failure in MSExchange StoreDriver to open the message item and hence resulted in failure for submission.

RESOLUTION:

We had disabled the “Quest services” in Exchange servers and further to this no alerts were logged related to MSExchange Store Driver. Also during this period, users did not face the issue of emails stuck in Outbox/Drafts. We concluded that Quest services are incorrectly handling some emails which make the Emails stuck in Outbox.

*Important* Virus Notification

Latest Virus/ Worm Threat

We have been notified by Antivirus Advisory Labs about a latest Virus threat 'W32/Autorun.worm.aaeb-h' which has the ability to infect removable media device and network shares..!

As an action plan, we have mitigated this risk by patching our systems & desktops with the latest antivirus protection and by adding additional controls. However, the viewers of this blog are requested to:
  i)  exercise caution while opening unsolicited emails and unknown files.
 ii)  refrain from using USB drives.
iii) download and use stinger tool for remediation in case of any suspicious virus message creeps up from your system.

Follow the link to read detailed information about the worm, its characteristics, symptoms and propagation.

From: McAfee [mailto:sns@snssecure.mcafee.com] 

Sent: Wednesday, 28 November, 2012 22:37

To: Rinith KT

Subject: *URGENT* McAfee SNS ALERT: *UPDATE* Reports of W32/autorun.worm.aaeb-h infections

**Update to original message: Stinger tool now available. See Mitigation section below**

McAfee has received multiple reports of customers who are severely affected by variants of W32/autorun.worm.aaeb-h.

Impact

W32/Autorun.worm.aaeb-h has the ability to infect removable media devices and mounted network shares. It can also copy itself into .zip and .rar archive files.

The infection starts either with manual execution of an infected file or by navigating to a folder that contains infected files. This threat has the ability to download other malware or updates to itself as directed by a Command-and-Control (C&C) server.

Mitigation

McAfee has released an Extra.DAT and Stinger to detect and clean this threat.

To download the Extra.DAT and Stinger, see KB76807: 

https://kc.mcafee.com/corporate/index?page=content&id=KB76807

For more information on McAfee product coverage and mitigation for this threat, see PD24169 - Threat Advisory: W32/Autorun.worm.aaeb:

https://kc.mcafee.com/corporate/index?page=content&id=PD24169

Real-Time Intranet (SharePoint) Replication: Production Site to Disaster Revovery Site

SharePoint 2010 real-time replication to the Disaster recovery site using third-party tool; DocAve from AvePoint is one among them

We have been using this software for SharePoint replication since last 4+ years. It's a wonderful software designed for MOSS 2007 & SharePoint 2010 environment. Lot of features are embedded to it. We just got replication module licensed as replication from production site to DR Site was our concern. All we have to do is to first restore the destination site using the latest SQL DB site level backups. We used an independent server for the DocAve Enterprise manager. DocAve 6 Client Plug-ins were installed on the below Web Front-End servers of both source and destination site. That's it. The configuration is pretty simple. It does real-time replication instantly in less than a minute.

We had slight issues when we activated real-time replication. However, the issue got stabilized after re-scheduling the replication method to trigger incremental replication after business hours. Accessing database from different process like backup plan and real-time replication plan could have been a conflict.

Check my other postings on:

SharePoint 2010 content level backup using Symantec Backup Exec

Three-Tier SharePoint 2010 Architecture

Scheduled Maintenance Plan for SQL Express DBs

Automate Database backup with SQL Express using scripts and batch schedule

Let us automate database backup in SQL Express with mixed Windows and SQL Authentication running on Windows 2008 Server.   This material was tested with Microsoft SQL Server 2008 R2 Express and SQL server 2005 Express Edn.

SQL Server 2008 Enterprise comes with Maintenance Plan feature.  SQL Express edition lacks this feature.  But you still need a backup.

Backup automation with SQL Express can be carried out by following the steps:

i) Create the script in sql to backup all your databases.

ii) Execute the script by initiating it from a command prompt (SQLCMD command).

iii) Schedule the script using Windows Task Scheduler.

i)

-- script starts here

DECLARE @dbName        VARCHAR(33)    -- database name

DECLARE @path          VARCHAR(99)    -- backup path

DECLARE @fileName      VARCHAR(99)    -- backup file name

DECLARE @fileQuarter   CHAR(1)        -- variable portion of file name

SET @path = '\\192.168.16.193\backup\TestDB\Bkp\' 

-- the above path is a remote location. make sure path is changed according to the environment you may have.

-- Returns a Numeral from 1 to 4

-- Each Quarter you get a new backup file name

SELECT @fileQuarter = CONVERT (char(1),(MONTH(GETDATE())+2)/3, 112)

DECLARE db_cursor CURSOR FOR

SELECT name

FROM master.dbo.sysdatabases

-- Exclude all System Databases, if Needed - 'master','model','msdb'

WHERE name NOT IN ('tempdb') 

OPEN db_cursor

FETCH NEXT FROM db_cursor INTO @dbName  

WHILE @@FETCH_STATUS = 0

BEGIN

       SET @fileName = @path + @dbName + '_' + @fileQuarter + '.BAK'

       -- Use INIT and SKIP to overwrite previous sets

       BACKUP DATABASE @dbName TO DISK = @fileName  WITH INIT, SKIP

       FETCH NEXT FROM db_cursor INTO @dbName

END

CLOSE db_cursor

DEALLOCATE db_cursor

-- script ends here

--save the above script in .sql format (Ex. Bkp.sql)

ii) Create a windows batch file with .bat extension (Ex. bkp.bat) the content of which is as follows:

SQLCMD -E –S TST-APP1\myDB -i "c:\yourlocalfolder\Bkp.sql" -o "c:\yourlocalfolder\Log.txt"

iii) Now create a scheduled task from windows control panel. Make a schedule to run the batch file 'bkp.bat' file on a daily or weekly basis.

It is wise to take the same backup to a tape drive as per the backup plan: daily, weekly and monthly so that you don't leave a question or thought.