Upload
scott-gillis
View
215
Download
0
Embed Size (px)
Citation preview
8/8/2019 Ruin a Malware Authors Day
1/7
Ruin a malware author's whole daywith a Software Restriction Policy! : )
f you're using aLimited accounton Windows XP Professional Edition, or aStandard useraccount on Windows Vist
or Windows 7 Business/Ultimate/Enterprise Editions, consider further enhancing your security by adding a Softwa
Restriction Policy or using Parental Controls. Setting up a Software Restriction Policy takes just a few minutes, and
an be reversed if necessary. It's a proactive defense that won't need updates or signatures to provide protection,
no noticable performance impact, and protects your other layers of defense from sabotage.
Notes:
You can't use Software Restriction Policy if you have Windows XP Home Edition, but a Limited account is still strongly recommenTry it out; if it doesn't work out well for you, you can change back to an Administrator account and useSandboxie or DropMyRig
to protect your browsers and other likely targets, such as media players, instant-messaging programs, email programs and VoIP
software. Likewise, you can't use Software Restriction Policy directly on Windows Vista and Windows 7 Home and Starter versions either,
they don't have a Local Group Policy. But you can usethe Parental Controls feature, which uses SRP under the surface and provi
a similar type of protection. Give it a try, just apply it to your Standard User account, and whitelist all the executable files on the
system. Anything that's not on the list will not be allowed to run unless you approve it, including payloads from exploit attacks u
the surface. I've added a couple of refinements in Step 5. One refinement is for Windows Vista. The other refinement is for 64-bit versions of
Windows, which includes the 64-bit versions of Windows Vista and Windows 7, and also the rarely-used Windows XP Profession
x64 Edition.
If you're an Information Technology professional, readMicrosoft's information on Software Restriction Policyfor comprehensiveinformation. The use of Software Restriction Policy that I'm showing on this page is just one possible implementation of it, most
similar to what Microsoft calls a Line-of-Business PC setup.
Here's the core idea, in visual form (in this picture, "user" is the name of my Limited account).yeah, whatever... just take me to the setup
nstructions alreadyThis image is from a WinXP system, but the same principle applies to Windows 7 and Vista.
A Limited or Standard user account is good basic protection against attacks that depend upon Administrator-level privileges to succeed. A
imited or Standard account also helps protect security software and critical system files & settings from tampering. With the Software
Restriction Policy, you take the fight to the next level. The goal of combining a non-Administrator account with Software Restriction Pol
o prevent execution of unwanted files that might do a "hit-&-run" attack designed to function even within a Limited account. Here are a
eal-world possibilities:
harvest email addresses from your profilefor Spammers
http://www.mechbgon.com/build/Limited.htmlhttp://www.mechbgon.com/build/Limited.htmlhttp://www.mechbgon.com/build/Limited.htmlhttp://www.mechbgon.com/build/Limited.htmlhttp://www.mechbgon.com/build/Limited.htmlhttp://www.mechbgon.com/build/Limited.htmlhttp://www.mechbgon.com/build/security2.html#non-adminhttp://www.mechbgon.com/build/security2.html#non-adminhttp://windows.microsoft.com/en-us/windows7/Set-up-Parental-Controlshttp://windows.microsoft.com/en-us/windows7/Set-up-Parental-Controlshttp://windows.microsoft.com/en-us/windows7/Set-up-Parental-Controlshttp://technet.microsoft.com/en-us/windowsvista/aa940985.aspxhttp://technet.microsoft.com/en-us/windowsvista/aa940985.aspxhttp://technet.microsoft.com/en-us/windowsvista/aa940985.aspxhttp://www.mechbgon.com/srp/#setuphttp://www.mechbgon.com/srp/#setuphttp://www.mechbgon.com/srp/#setuphttp://www.mechbgon.com/srp/#setuphttp://www.symantec.com/security_response/writeup.jsp?docid=2004-031709-5106-99&tabid=2http://www.symantec.com/security_response/writeup.jsp?docid=2004-031709-5106-99&tabid=2http://www.symantec.com/security_response/writeup.jsp?docid=2004-031709-5106-99&tabid=2http://www.symantec.com/security_response/writeup.jsp?docid=2004-031709-5106-99&tabid=2http://www.symantec.com/security_response/writeup.jsp?docid=2004-031709-5106-99&tabid=2http://www.mechbgon.com/srp/#setuphttp://www.mechbgon.com/srp/#setuphttp://technet.microsoft.com/en-us/windowsvista/aa940985.aspxhttp://windows.microsoft.com/en-us/windows7/Set-up-Parental-Controlshttp://www.mechbgon.com/build/security2.html#non-adminhttp://www.mechbgon.com/build/Limited.htmlhttp://www.mechbgon.com/build/Limited.html8/8/2019 Ruin a Malware Authors Day
2/7
The bad guys could encrypt your documents andhold them for ransom The bad guys coulddelete your music, videos & documents, orsend copies of them to the bad guys The bad guys couldsteal your game CD keysto sell on the black market ...or other stuff that could be accomplished by running an executable file from within a Limited account. I see the bad guys have
begun adapting "scareware" to function without Admin privileges, in response to the growing market share of Windows Vista an
Windows 7.
oftware Restriction Policy can also be used to prevent uncooperative computer users from running programs from USB drives, CDs, DVD
rom within their user profile directory. Additionally, it protects the system from malware that auto-plays from infected CDs or USB drive
actic that appears to be spreading (example:the Fujacks family of malware). UPDATE: I now have a page showing how todisable or rest
AutoPlay, adding another proactive layer of defense against AutoPlay attacks.
ut dude, I already have antivirus and a firewall. Does a Software Restriction Policy really have anything to offer me? Heck yeah. New
malware is being releasedevery hour of the day, and it takes time for your antivirus software to get updates that detect the new malwar
eaving a window of vulnerability. Malware will often try to disarm security software as its opening move in the game, too. Your firewall c
e fooled... malware may try to borrow an "approved" program (such as your web browser) to get through your firewall protection witho
riggering an alert. There areother crafty waysto get malware through the firewall, too. When you combine Software Restriction Policy a
on-Administrator user accounts, you add an entirely different, proactive layer of defense to your security strategy.
Step 1: Create a Software Restriction Policy
1.Log on with an Administrator account. Type gpedit.msc into the Run or Search box on your Start menu, click OK, and Group Policwill open.
2.Go down to Computer Configuration > Windows Settings > Security Settings, as shown in the picture below.3.Right-clickon "Software Restriction Policies" and create new policies.
http://www.viruslist.com/en/weblog?weblogid=166186227http://www.viruslist.com/en/weblog?weblogid=166186227http://www.viruslist.com/en/weblog?weblogid=166186227http://www.symantec.com/security_response/writeup.jsp?docid=2006-060909-5249-99http://www.symantec.com/security_response/writeup.jsp?docid=2006-060909-5249-99http://www.symantec.com/security_response/writeup.jsp?docid=2006-060909-5249-99http://www.symantec.com/security_response/writeup.jsp?docid=2006-060909-5249-99http://www.symantec.com/security_response/writeup.jsp?docid=2005-030209-1111-99http://www.symantec.com/security_response/writeup.jsp?docid=2005-030209-1111-99http://www.symantec.com/security_response/writeup.jsp?docid=2005-030209-1111-99http://www.symantec.com/security_response/writeup.jsp?docid=2005-030209-1111-99http://www.symantec.com/security_response/writeup.jsp?docid=2003-011715-1832-99http://www.symantec.com/security_response/writeup.jsp?docid=2003-011715-1832-99http://www.symantec.com/security_response/writeup.jsp?docid=2003-011715-1832-99http://www.symantec.com/security_response/writeup.jsp?docid=2007-020812-2448-99&tabid=2http://www.symantec.com/security_response/writeup.jsp?docid=2007-020812-2448-99&tabid=2http://www.symantec.com/security_response/writeup.jsp?docid=2007-020812-2448-99&tabid=2http://www.symantec.com/security_response/writeup.jsp?docid=2007-020812-2448-99&tabid=2http://www.mechbgon.com/build/autoplay.htmlhttp://www.mechbgon.com/build/autoplay.htmlhttp://www.mechbgon.com/build/autoplay.htmlhttp://www.mechbgon.com/build/autoplay.htmlhttp://www.kaspersky.com/viruswatchlitehttp://www.kaspersky.com/viruswatchlitehttp://www.kaspersky.com/viruswatchlitehttp://www.avertlabs.com/research/blog/index.php/2006/06/15/trojan-frog-on-the-loose/http://www.avertlabs.com/research/blog/index.php/2006/06/15/trojan-frog-on-the-loose/http://www.avertlabs.com/research/blog/index.php/2006/06/15/trojan-frog-on-the-loose/http://www.avertlabs.com/research/blog/index.php/2006/06/15/trojan-frog-on-the-loose/http://www.kaspersky.com/viruswatchlitehttp://www.mechbgon.com/build/autoplay.htmlhttp://www.mechbgon.com/build/autoplay.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2007-020812-2448-99&tabid=2http://www.symantec.com/security_response/writeup.jsp?docid=2003-011715-1832-99http://www.symantec.com/security_response/writeup.jsp?docid=2005-030209-1111-99http://www.symantec.com/security_response/writeup.jsp?docid=2006-060909-5249-99http://www.viruslist.com/en/weblog?weblogid=1661862278/8/2019 Ruin a Malware Authors Day
3/7
Step 2: Apply the Software Restriction Policy to all software , and to all use
except Administrators
Double-click Enforcementand set the Enforcement like shown below. NOTE: as of late 2010, I'm finding that Adobe Flash Player 10.1
rashes over and over if you apply SRP to .DLL files on Vista/7. If this happens to you, you can change this setting so it doesn't apply SR
braries. Hopefully this gets rectified by Adobe soon. You could apply the Software Restriction Policy to all users including Administrato
ut then you'd run into occasional hangups when installing/removing software.
Step 3: Remove the LNK filetype
n the right panel, double-click Designated File Types. A panel opens. Go down the list to LNK and click it, then click the Delete button. Thi
djustment allows you to use your desktop shortcuts and Quick Launch icons, which are mostly the LNK filetype.
8/8/2019 Ruin a Malware Authors Day
4/7
Step 4: Switch on the protection!
ight-click on Disallowedin the Security Levels folder, and set it as the default security level.
8/8/2019 Ruin a Malware Authors Day
5/7
ou'll see a prompt like this. Choose "Yes."
f you want to turn the Software Restriction Policy off again, just set Unrestrictedas the default, and that's the same as not having a Softw
estriction Policy at all.
Step 5: For Vista or Windows 7, and/or 64-bit versions of Windows, add
some rules
Adjustment for 64-bit Windows 64-bit versions of Windows (both Vista and XP Pro x64 Edition) have an extra Program Files directory nam
:\Program Files (x86). Click on
Additional Rulesand make a new Path Rule that makes that directory Unrestricted, so software that's
nstalled there is allowed to run. Scroll down for an example of how to make a Path Rule.
Adjustment for Vista In Step 2, you made your Administrator account exempt from the Software Restriction Policy, so you can use your
Administrator account to install/remove software. But with Windows Vista, even if you're logged on as an Administrator, programs (inclu
oftware installers) are still launched with non-Administrator privilege levels. So your Software Restriction Policy will stop them.
asy solution: If you want to run a file that your Software Restriction Policy is preventing, simply right-click the file and choose Run as
Administrator. That was easy, wasn't it? : ) Remember that you will need to do this to run setup programs when installing stuff from a CD
DVD, too.
8/8/2019 Ruin a Malware Authors Day
6/7
Remind me again, why is this beneficial? As the first picture on this page illustrates, combining a Software Restriction Policy with a Limit
tandard account puts the bad guys in an impasse. If they're exploiting your Limited user account, then they won't be able to save a paylo
le (say, an infectuous .exe file) to anywhere that Windows will let them actually execute it. This makes entire classes of exploits worthle
he bad guys, even when the system's technically vulnerable. For a concrete example, seemy firsthand WMF Exploit testing. The Softwar
estriction Policy also prevents malware from attacking via an infected USB drive or an infected CD.
OK, I see a possible problem here. What if I have software that isn't in an "SRP-approved" location? As you saw above in Step 5, you ca
reate a new Path rule or a new Hash rule if you need to run executable files that aren't in the usual locations. Obviously, you will save
ourself some trouble if you simply make sure software installs to someplace in the C:\Program Files directory, rather than into oddballocations.
or example, I have UT2004 Demo installed. It installed to a weird place, C:\UT2004Demo. Obviously, the smart thing to do would be to
ninstall it, then reinstall it and modify the installation folder to be C:\Program Files\UT2004Demo, which is a location that the SRP has s
Unrestricted. But for the sake of example:
he actual UT2004.exe file is in C:\UT2004Demo\System, and since there's a bunch of supporting files in that same folder too, I decided
o a Path rule for the whole folder. Easily done, I just right-click in the Additional Rules panel and choose New Path Rule:
Now the files in that folder will be exempt from the Software Restriction Policy.
http://www.antisource.com/forums/viewtopic.php?t=128http://www.antisource.com/forums/viewtopic.php?t=128http://www.antisource.com/forums/viewtopic.php?t=128http://www.antisource.com/forums/viewtopic.php?t=1288/8/2019 Ruin a Malware Authors Day
7/7
need to troubleshoot my Software Restriction Policy, because it's having unexpected side effects! Click on Start > Run >, type
ompmgmt.msc in the Run box, and click OKto open Computer Management, then look in Event Viewer's software logs to see what the
oftware Restriction Policy is preventing. Then you can make exceptions in the Additional Rules area as needed.