http://blogs.technet.com/infrastructure_security/archive/tags/Security+virus+imaging+build+workstation/default.aspxTags: Security virus imaging build workstationen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/infrastructure_security/archive/2008/08/14/researchers-raise-alarm-over-new-iteration-of-coreflood-botnet-desktop-security-news-analysis-dark-reading.aspxThu, 14 Aug 2008 19:24:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3105867chrisr0http://blogs.technet.com/infrastructure_security/comments/3105867.aspxhttp://blogs.technet.com/infrastructure_security/commentrss.aspx?PostID=3105867<BLOCKQUOTE cite=http://www.darkreading.com/document.asp?doc_id=159874&amp;WT.svl=news1_4></BLOCKQUOTE> <P class=citation><CITE cite=http://www.darkreading.com/document.asp?doc_id=159874&amp;WT.svl=news1_4><A href="http://www.darkreading.com/document.asp?doc_id=159874&amp;WT.svl=news1_4" mce_href="http://www.darkreading.com/document.asp?doc_id=159874&amp;WT.svl=news1_4">Researchers Raise Alarm Over New Iteration of Coreflood Botnet - Desktop Security News Analysis - Dark Reading</A></CITE>.</P> <P mce_keep="true">&nbsp;</P> <P>This recent article from the Dark Reading web site talks about the Coreflood Trojan horse virus which steals passwords.&nbsp; The major concern of this virus is the ability of this virus to steal accounts and passwords from the infected machine and transfer those accounts to the hackers.&nbsp; While signature based virus detection programs can detect and remove the virus, it is too late since the program has done its damage.&nbsp; The prediction is that this botnet will become a favorite among hackers to steal passwords and then use those passwords to carry out attacks on enterprises. The problem in mind is how to protect against such an attack.&nbsp; The first is pretty much common since which is to always have AV protection and the latest signature file.&nbsp; We will not&nbsp;go into this area since this pretty much common practice.&nbsp; The second area and perhaps more difficult to address is to have a process of bringing new systems into the environment.</P> <P>So here is the problem.&nbsp; You image a new system with an image that was create a couple of months ago.&nbsp;&nbsp;The image has A/V protection but the signature file is a couple of months old.&nbsp; The system imaging goes fine but shortly after initial boot to the network, the system gets attacked by a virus.&nbsp; The problem here is that the system does not have&nbsp;a current signature file and the virus was not captured by the heuristics technology built into most A/V products.&nbsp; Now you are stuck with how to clean the system.&nbsp; So how do you avoid this type of problem in the first place.&nbsp; I have defined three ways to avoid this potential problem.&nbsp; These are in the imaging process, using a safe network and Network Access Protection (NAP).</P> <P>First lets start off with a solution that could be implemented pretty easy today and does help reduce the exposure time.&nbsp; As part of the imaging process add a step in the process that downloads the latest signature file from a known location.&nbsp; One way to implement this is simply to have a script that kicks off the signature update process with the A/V client.&nbsp; To do this the client will need access to the network which still leaves it open to attacks.&nbsp; Another way to implement this process is to store the latest signature file on a USB device so the signature can be updated before the client attaches to the network.&nbsp; By using either of these two methods, you will either reduce or eliminate the exposure time on the network</P> <P>Another way to attack this problem is to build a safe network.&nbsp; As safe network is a network that had a limited number of clients with no Internet or corpnet connectivity.&nbsp; The client is built on this safe network and the signature file is updated before the client is allowed to connect to the corpnet.&nbsp; This may require a change in your build process especially if a re-imaging process is part of the part of the problem resolution process.&nbsp; In this case, the end user may have to bring his system to a help desk location with a safe network connection.</P> <P>The third way to address this problem is to leverage NAP and quarantine the client to a restricted network until the signature file is updated.&nbsp; You will need to use a NAP implementation that uses the network devices and not a simple DHCP solution.&nbsp; You will want a separate network to protect the client.&nbsp; In the quarantine environment, you provide all the necessary systems to build a system and update the system with the latest signature files and security updates.&nbsp; </P> <P>Using one of these three ways (and there are probably others) you can start with a clean protected system and reduce the number of infections due to unprotected systems.&nbsp; Carefully look at your a build process and identify ways of reduce the exposure time to attacks.</P> <P mce_keep="true">&nbsp;</P> <P mce_keep="true">&nbsp;</P><img src="http://blogs.technet.com/aggbug.aspx?PostID=3105867" width="1" height="1">Security virus imaging build workstation