{"id":1200,"date":"2010-08-19T23:32:30","date_gmt":"2010-08-20T07:32:30","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=1200"},"modified":"2010-08-19T23:33:03","modified_gmt":"2010-08-20T07:33:03","slug":"how-palo-alto-network%e2%80%99s-next-generation-firewalls-protect-against-torpig-attack","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2010\/08\/how-palo-alto-network%e2%80%99s-next-generation-firewalls-protect-against-torpig-attack\/","title":{"rendered":"How Palo Alto Network\u2019s Next-Generation Firewalls Protect Against Torpig Attack"},"content":{"rendered":"

In this blog, I talk about how our next-generation firewalls protect against botnets<\/a> such as Torpig. There are 3 parts to a botnet attack:<\/p>\n

1. User visits a website which starts a chain reaction for torpig-infection<\/strong><\/p>\n

There are 2 ways in which this can happen:<\/p>\n

<\/p>\n

a.\u00a0 \u00a0User is tricked into going to a website that he\/she didn\u2019t intend to go in first place<\/em><\/p>\n

This is also known as a phishing attack. Once the user visits such a website, the website would start downloading exploits to user\u2019s computer without user\u2019s intervention. Such downloads are also referred to as drive-by-downloads<\/a> in the sense that the user didn\u2019t have to explicitly download the exploits; just by the virtue of visiting the website would cause the download to happen.<\/p>\n

Such attacks can be usually nipped in the bud by a URL filtering solution that would detect user\u2019s traffic going to a pre-categorized malware website. Our next-generation firewalls provide URL filtering solution that can help in detecting such traffic and thereby preventing the attack.<\/p>\n

b.\u00a0 User goes to a popular website that has been recently hacked into<\/em><\/p>\n

This happened recently with songlyrics.com. The website was hacked into and the HTML content of the website was modified to include a malicious <iframe><\/a> that in turn directed the user\u2019s browser to go to a malware hosting site. Note that <iframe> by itself is not harmful, in fact it is part of standard HTML specification. It's just that some usages of <iframe> could be malicious and as such it is important that any signatures protecting against malicious <iframe> are written such that they don't generate false positives. Palo Alto Network's next-generation firewalls currently have three such signatures to detect malicious iframes.<\/p>\n

\"\"<\/span><\/div><\/a><\/p>\n

<above information is available on support.paloaltonetworks.com<\/a> website under \"Threat Database\" link><\/p>\n

2. \u00a0 The <iframe> in the page directs the user machine to go to a malware site and download exploits<\/strong><\/p>\n

As mentioned earlier, the <iframe> would direct user\u2019s browser to a malware hosting site, which can once again can \u201cvery likely\u201d be caught by the URL filtering solution. I mentioned \u201cvery likely\u201d because it depends on how long the malware website has been up; if the website is very recent, it is possible that the URL filtering database has not yet tagged the website as malicious.<\/p>\n

In any case, lets assume for now that the URL filtering does not stop the traffic. Now the malware site will start throwing exploits at the user\u2019s computer trying to exploit an un-patched or even zero-day vulnerability. Once that vulnerability is found, the malware site would download the actual malware\/virus to the computer that will cause the computer to become a \u201cbot\u201d.<\/p>\n

Our next-generation firewalls can stop such an attack using our vulnerability-based signatures. Here, it is important to distinguish between vulnerability-based signatures versus exploit-based signatures. A single vulnerability-based signature can protect against all<\/em> different attacks that try to take advantage of that vulnerability. Exploit-based signatures, however, protect against only certain<\/em> attack vectors. Clearly, it is desirable to\u00a0 have vulnerability-based signatures as they provide the most comprehensive protection.<\/p>\n

At Palo Alto Networks, our threat team spends considerable time in understanding vulnerabilities and creating signatures to protect against the vulnerability itself.\u00a0In fact, Palo Alto Networks Threat Team has been recognized several times by Microsoft for discovering and reporting Microsoft related vulnerabilities. Palo Alto Networks is the only private company in the top 5 list of companies that have reported vulnerabilities to Microsoft.<\/p>\n

Additionally, customers should be mindful of the packet latency when vulnerability protection is turned on. Due to its single-pass architecture, Palo Alto Network's next-generation firewall scans the contents only once, the results of which are used in vulnerability\/spyware\/virus blocking, file blocking and URL filtering. Particularly our antivirus solution is stream-based versus being file-based. File-based antivirus solutions first download the entire file and then<\/em> run virus checks on the file. This results in increasing packet latency through the device. Stream-based solution does virus checking while<\/em> the file is in transit. Clearly, the latter solution would be preferred from user perspective.<\/p>\n

Coming back to exploits, once the user\u2019s machine is successfully compromised, the malware website then downloads an executable file (virus) which in case of Torpig causes installation of Mebroot. Most IPSes do not cover virus protection.\u00a0Palo Alto Network's next-generation firewall, however, provides strong antivirus solution. We receive several thousand virus samples from our partners. Our threat team analyzes the samples, looks for malicious patterns in the files and then subsequently defines virus signatures that detect several<\/em> samples. This helps in reducing virus signature footprint.<\/p>\n

Specifically for Torpig, we have over\u00a06400 signatures <\/strong>to capture torpig-related malicious executable files. These signatures provide coverage against roughly 12,800 malicious samples <\/strong>(each torpig signature on average covers 2 samples).<\/p>\n

3. The malicious code installed on victim computer sends personal info to Torpig\u2019s Command and Control servers<\/strong><\/p>\n

This is the step that makes money for the hacker (by stealing personal financial information from the victims).<\/p>\n

Currently, we provide three signatures to capture such traffic. Once again this is a cat-and-mouse game between hackers coming up with different traffic profiles for connecting to command and control servers and anti-spyware vendors blocking such traffic with unique signatures.<\/p>\n

\"\"<\/span><\/div><\/a>
\"\"<\/span><\/div><\/a><\/p>\n

In the picture above,\u00a0 2nd signature (12657) corresponds to the DNS traffic that our threat team identified to be corresponding to Torpig DNS requests.<\/p>\n

Following is the packet dump for DNS traffic from Torpig: The blue part is IP header; red part is UDP header and the rest is DNS response.\u00a0As you can see from the packet, one of the name servers (which is actually the authoritative server) is torpig.sinkhole.org<\/a>.<\/p>\n

0000 \u00a000 16 d3 2d 22 b4 00 18 \u00a073 d7 08 5d 08 00\u00a045 88<\/span> ...-\"... s..]..E.<\/p>\n

0010 \u00a000 71 00 00 40 00 33 11 \u00a00b 93 c0 36 70 1e 0a 01<\/span> .q..@.3. ...6p...<\/p>\n

0020 \u00a001 0c<\/span> 00 35 46 e4 00 5d \u00a024 13<\/span> 00 08 80 00 00 01 \u00a0 ...5F..] $.......<\/p>\n

0030 \u00a000 00 00 02 00 00 08 79 \u00a061 7a 74 69 72 70 61 03 \u00a0 .......y aztirpa.<\/p>\n

0040 \u00a06e 65 74 00 00 01 00 01 \u00a0c0 0c 00 02 00 01 00 02 \u00a0 net..... ........<\/p>\n

0050 \u00a0a3 00 00 19 03 6e 73 31 \u00a00f 74 6f 72 70 69 67 2d \u00a0 .....ns1 .torpig-<\/p>\n

0060 \u00a073 69 6e 6b 68 6f 6c 65 \u00a003 6f 72 67 00 c0 0c 00 \u00a0 sinkhole .org....<\/p>\n

0070 \u00a002 00 01 00 02 a3 00 00 \u00a006 03 6e 73 32 c0 2e \u00a0 \u00a0 \u00a0........ ..ns2..<\/p>\n

We created a signature to catch such DNS responses. Now, whenever the signature is triggered in a network, one can be pretty sure that they have torpig-infected systems in their network.<\/p>\n

Overall, to effectively block or mitigate such attacks, any threat prevention solution needs to be comprehensive without significant performance degradation. Our next-generation firewalls combine all elements of threat prevention together (URL filtering, Vulnerability-attack protection, Spyware protection, Virus protection) at hardware-accelerated speeds and provide risk mitigation for botnet-related attacks.<\/p>\n

External links for Torpig:<\/p>\n

http:\/\/en.wikipedia.org\/wiki\/Torpig<\/a><\/p>\n

http:\/\/www.cs.ucsb.edu\/~seclab\/projects\/torpig\/torpig.pdf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

In this blog, I talk about how our next-generation firewalls protect against botnets such as Torpig. There are 3 parts to a botnet attack: 1. User visits a website which starts a …<\/p>\n","protected":false},"author":156,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[32],"tags":[66],"coauthors":[812],"class_list":["post-1200","post","type-post","status-publish","format-standard","hentry","category-threat-advisoryanalysis","tag-botnet"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/1200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/156"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=1200"}],"version-history":[{"count":18,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/1200\/revisions"}],"predecessor-version":[{"id":1230,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/1200\/revisions\/1230"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=1200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=1200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=1200"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=1200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}