How to mitigate zero-day threats like Windows ANI

Patching a flaw is still the most reliable protection, security experts say

The Windows animation bug (ANI) caused widespread concern because exploits against it became widely available before Microsoft could release a patch. But like other zero-day threats before it, there are measures companies can take to at least try to mitigate the risk from unpatched vulnerabilities, security experts said.

The measures are not a sure bet. And in the end, patching a flaw is still the most reliable way of protecting against exploits seeking to take advantage of it, they said. But deploying multiple layers of defenses is vital to dealing with threats for which no immediate fix is available.

Among them are the following:

Restrict e-mail attachments

One of the ways hackers hope to exploit the ANI flaw -- which Microsoft patched earlier Tuesday -- is by trying to get users to click on malicious attachments in spammed e-mails. One way of dealing with this sort of an attack vector is by having strict policies in place for filtering out e-mail attachments.

Security experts have for a long time now advised companies to filter out gif, JPEG, WMV and pretty much most attachment types they don't need from inbound and outbound e-mails. When deciding which attachments to allow and which to deny, it's a mistake to assume that only certain attachment types are maliciously used, said Russ Cooper, senior information security analyst with Cybertrust.

"Don't go on the basis of whether something is benign or not," Cooper said. After all, both gif and JPEG attachments were once considered benign until hackers started hiding malicious code in them. "Instead, look at what you need for your business," he said.

If there is a business need for accepting e-mails with attachments -- from a business partner, for example -- see if there's a way to restrict them to just that business partner. Or if you need to exchange zip files, for instance, consider the possibility of renaming the extension to something that just your company and your business partner knows -- and permit only attachments with that extension into your network, Cooper said. "Then you can put gif, JPEG and even animated cursors if you have a need for them into those attachments," he said. "If you say 'I only want to allow these attachments and nothing else,' you have eliminated every zero-day" threat via e-mail attachments, he said.

Disable HTML e-mail

Hackers and other bad guys like HTML e-mail because it allows them to more easily hide and deliver attack code to a desktop. For instance, several of Microsoft's e-mail clients, including Outlook Express and Windows Mail for Vista, are vulnerable to attacks that insert a malicious ANI file in an HTML message. Disabling HTML can help mitigate this risk, Cooper said. By doing so, you are also blunting a lot of the phishing attacks that attempt to get users to click on URL links to malicious sites, he said.

Keep an eye on the LAN

Consider tools that don't rely on virus signatures alone to detect infected systems. Instead, implement a way to quickly detect a compromised system by any anomalous behavior it might exhibit, said Lloyd Hession, chief security officer at BT Radianz, a New York-based company that offers telecommunications services to the financial industry.

Also have a way to limit the damage an infected system can do to other LAN-connected systems, he said. BT Radianz, for instance, uses a tool that allows it control over the connections a desktop makes with other systems within the LAN. "Under the previous model, you could go anywhere in the network once you are within the network," Hession said.

Now, there are rules that specify what parts of a network to which a system is allowed access. The rules also spell out what systems that same system can connect to based on the user's business requirements. Such control can help mitigate the risk of an infected computer spreading malicious code to other systems within a network. "You need to smarten the intelligence within the local network" to detect zero-day attacks faster, he said.

Filter outbound traffic

It's not enough just to inspect the traffic that's coming into your network; it's vital also to keep an eye on what's going out. Many Trojans or bot programs that get installed communicate with a remote system for further instructions on what to do next or what to download. Using outbound proxies or firewalls to look for and block such communications is one way to prevent Trojans and bots from calling home, said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center (ISC).

Consider implementing a "default deny" capability at the perimeter, Cooper added. The idea is to permit only specific traffic in and out of a network gateway, while blocking everything else by default, Cooper said.

"What we are talking about is inbound and outbound rules on your router" to block, for example, outbound IRC attempts and SMTP requests, he said. To get an idea of what traffic to permit through the network, log all inbound and outbound router activity for a period of time and use that information to decide what's permissible and what's not, he said. "If you are worried about breaking functionality, allow everything that has been going through anyway and deny everything else," he said. "It's a great starting point."

Increasingly, Trojans and bot programs have begun using well-known ports such as Port 80 to communicate with the remote systems controlling them. That makes it harder to detect such traffic using outbound filtering, Hession said.

Turn off JavaScript; don't give users administrative privileges

Turning off JavaScript would have prevented some of the Web-embedded ANI exploits from reaching the user via the browser, Ullrich said. Restricting administrative privileges would have mitigated the fallout from an exploit by ensuring that a remote hacker wouldn't gain full administrative control of a system.

Ultimately, "you are less likely to go into emergency patch mode if you have other measures in place" for dealing with such threats, said Ken Dunham, director of Verisign's iDefense rapid response team.

Such measures include content filtering at the gateway for ANI files, using updated antivirus software, using snort signature to identify and initiate responses to possible attacks from remote sites and user education, Dunham said.

Show Comments