Permalink 08:14:03 pm, by Fred Parks, 224 words
Categories: Cisco Security Agent, Systems Security Management

Configuring Cisco Security Agent LDAP Authentication

When Cisco released version of CSA they added new features that relate to LDAP authentication. Here at Priveon, we've had several customers that wanted to take advantage of those new features and implement LDAP authentication with the MC. The main problem with doing that is the scarcity of detailed information on how to actually configure the settings and what settings are relevant to one's own environment.

I wanted to give CSA Administrators a reference that would be helpful in setting up LDAP authentication on their Management Center. To that end, I put together a document that goes through detailed steps of configuring your MC to successfully communicate with your LDAP servers. Items such as the user prefix, base DN, multiple base DN's, group restriction, LDAP User Search Mode, LDAP over SSL, and configuring CSA MC user accounts are all covered. I've even added a section on how to find out LDAP values in your environment such as the Relative Distinguished Name (RDN), Canonical Name (CN), and Distinguished Name (DN) values that you will use to configure your MC.

To access the whitepaper on how you can leverage LDAP with your Cisco Security Agent MC, as well as many other CSA and security related documents, take a look at the links below.


Permalink 04:29:03 pm, by Larry Boggis, 117 words
Categories: Cisco MARS

Cisco MARS Versions 5.3.3 and 4.3.3 Posted to CCO

Since we've mentioned previous version updates, I'll go ahead and post the latest announcement that Cisco has released updates for the MARS appliances:

For Gen2 Mars devices: 5.3.3 (2774) is the upgrade from 5.3.2 (Release Notes)
For Gen1 Mars devices: 4.3.3 (2636) is the upgrade from 4.3.2 (Release Notes)

This is pretty much a maintenance release that includes Enhanced Cisco Device Support, Updates to IPS signature sets and Bug fixes.

It is extremely important that you only load the associated upgrade for your supported hardware.

As with any new software update, you should make sure you have a valid backup before upgrading. You should also review the product documentation, upgrade instructions and release notes to fully understand the impact of the new version.


Permalink 09:15:40 am, by Zach Brewer, 542 words
Categories: Malware Analysis, General Security

Nuwar Infections - No Exploit Necessary

Priveon has seen a rise in active infections of the nuwar worm in the wild since 01/15/08.
Interestingly, the variant observed doesn't even bother to use an exploit for infection (yet).

Malware delivery is achieved by means of a spammed message similar to the following:

From: holger.petz@{REMOVED}.com.au

Subject: Memories of You

Body: When Love Comes Knocking hxxp://77.xx.xx.144/

After following the URL, the user is taken to a page where they can download a "valentine's greeting."


A quick peek behind the scenes shows us that a happy valentine's day was not exactly what the author(s) intended for the unsuspecting user:


When unescaped, the two javascript snippets simply reference "with_love.exe" and "withlove.exe" in the root directory of the web server.

Once executed, the worm takes the following actions:

  • creates burito{random string}-{random string}.sys which uses rootkit functionality to hide any process with "burito" in the name
  • drops burito{random string}.ini under system32
  • Adds ImagePath = "\??\%System%\burito{random string}-{random string}.sys" under the key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\burito{Random Name}
  • attempts to communicate via UDP to a P2P network
  • uses an obfuscated ini file that lists peers

Sample Peer ini File

...truncated for brevity

So what's interesting about this worm other than the fact that it's just in time for valentine's day?

There are several similarities with the storm worm including:

  • The use of nginx 0.5.17 to host the payload
  • UDP P2P communications, a "peer" ini configuration file, and rootkit functionality to hide processes
  • Simplicity (and effectiveness) of the worm and its means of infecting the user including spammed messages and multiple hosts used in malware delivery
  • Kernel level thread injection which causes the worm to operate under services.exe (typically whitelisted) when communicating with peers

Although classified differently by some AV vendors, withlove.exe only differs slightly from the storm worm and like the storm worm, its creators will probably adapt quickly to incorporate new means of infection. Nuwar is another reminder that the storm worm and other variants aren't going away any time soon.

Quick notes on detection and prevention:

- Random ports and the use of UDP may make it difficult to spot nuwar in firewall logs
- Keep (H)IDS/(H)IPS/AV definitions and rules up to date
- Don't depend on one product for prevention
- Educate users on the dangers of downloading content from untrusted sources

For Cisco Security Agent admins - pay careful attention to any systems in Untrusted Rootkit Detected state. The dynamic creation of "burito{random string}-{random string}.sys" will trigger rootkit detected rules if a user has allowed the malware to bypass other prevention rules. Any system in the rootkit detected state should be an immediate red flag in a well-tuned CSA environment.

Nuwar CSA Event Text


Permalink 09:52:33 am, by Zach Brewer, 178 words
Categories: General Security

MBR Rootkit in the Wild

Researchers have discovered a rootkit in the wild that combines the "benefits" of Master Boot Record (MBR) viruses with the stealth properties of rootkits. Although only known until recently in research, the discovery of an MBR rootkit unsurprisingly confirms that malware writers are adapting methods to include theoretical techniques.

By patching the MBR in usermode, an MBR rootkit can surpass standard OS protection mechanisms - including Vista's much advertised driver signing. Once attached, the rootkit can ensure that it is processed every time a system boots and before the OS. Additionally, an MBR resident rootkit has the advantage of not needing registry access or other files to function.

As bots and worms have adapted other rootkit techniques it's not entirely unreasonable to expect them to also implement the properties of an MBR rootkit. With the adoption of these and other methods, discovery and mitigation of new malware will continue to be a challenge to the security community.

On the web:


Permalink 10:38:51 am, by Larry Boggis, 68 words
Categories: Cisco MARS

EOS/EOL for the Cisco Security Monitoring, Analysis, and Response System

End-of-Sale and End-of-Life Announcement for the Cisco Security Monitoring, Analysis, and Response System (Models 100, 100e, 200, GCm, and GC)

Due to the release of the new Gen-2 MARS appliance models, Cisco has recently announced the end-of-sale and end-of life dates for the Gen-1 models 100, 100e, 200, GCm, and GC.

For more information on this announcement and the continued support (active service contracts) for Gen-1 products, please see Cisco's official announcement.

<< 1 ... 21 22 23 24 25 26 27 28 29 30 31 ... 41 >>

Priveon, Inc.

Today's complex security and networking solutions require a great deal of knowledge to successfully support and operate. Priveon uses the field experience of its expert staff to develop and maintain a positive reinforcement loop between business practices and to provide the latest information to our customers. The information posted here is supported by Priveon subject-matter experts.


XML Feeds