Priveon Labs Security Blog

Cisco Security MARS software version 4.2.6 has been posted to CCO and is now available as an upgrade to 4.2.5 (2456).

This release includes new vendor signatures, additional 3rd-party signature support and bug fixes. For information and additional details on the changes and enhancements in 4.2.6, please see the product release notes available on CCO.

As with any new software update, you should make sure you have a valid backup before upgrading. You should also review the product documentation, upgrade instructions and release notes to fully understand the impact of the new version.

While monitoring Cisco Security Agent logs for a client, I noticed that McAfee was sending JS/Crasher infection alerts to our CSA Management Center. The flagged files were in multiple cached HTML pages on an individual system. Naturally I was interested in what the threat was and whether or not there was potential for further infection.

JS/Crasher CSA MC events as reported by McAfee.

I googled for JS/Crasher and found that it exploits IE by calling a malicious HTML file through a JS popup window. I had enough information from the CSA event logs to know the name of the "infected" htm pages so I did a another quick search in an attempt to find the site hosting the JS/Crasher pages reported by McAfee. The matching pages were located on the website of NBC (yes, the Television station). It wasn't too much of a reach to assume that NBC could have some malicious code embedded in its source code by someone else - after all, Dolphin stadium had the same thing happen right before the super bowl.

I started checking out the source code of the site for embedded IFrames, suspicious JavaScript, and served ads that might have malicious content when it occurred to me why McAfee was flagging the site... The site was for an NBC TV show called "Real Wedding Crashers" and as a result the word "crasher" was all over the page. McAfee's definitions detected the cached pages as malicious based upon the word crasher in the site's embedded JavaScript code.

NBC's Real Wedding Crashers page

Read more »

CSA: Interface Identification and Control with CSA 5.2

May 2, 2007 - Priveon Labs posts a new Cisco Security Agent series document detailing a new 5.2 product feature - Interface Identification and Control. With the release of Cisco Security Agent (CSA) 5.2, Cisco has added the ability to assign end-point security policies based on the network interface type in use. This new feature allows enterprises to secure their end-points via strict policies for systems both connected to the enterprise wireless network and when roaming. Priveon's latest CSA Series Document explains these capabilities and outlines the newly supported features of CSA 5.2.

Priveon Labs Research Documents

I'm often asked by customers for a document that lists the available MARS system-level reports. The MARS Documentation does not directly provide this information, nor is it an easy thing to extract from the GUI.

That said, here is the complete report list available as of MARS version 4.2.5:

Activity: AAA Based Access - All Events
This report details AAA based access (e.g. to the network or to specific devices).

Activity: AAA Based Access Failure - All Events
This report details all failed AAA (e.g. RADIUS, TACACS) based access attempts. Typically mechanisms such as 802.1x, network device access, Cisco NAC use AAA servers for access control.

Activity: AAA Failed Auth - All Events
This report displays event details on failed AAA authentications. This report covers the following cases: regular AAA auth, 802.1x auth, L2 IP and L3 IP auth, L2 802.1x auth. An authentication may fail because of policy misconfiguration on the AAA server or wrong user credentials.

Activity: AAA Failed Auth - Top NADs
This report ranks the Network Access Devices (NADs) based on failed AAA authentications. This report covers the following cases: regular AAA auth, 802.1x auth, L2 IP and L3 IP auth, L2 802.1x auth. An authentication may fail because of policy misconfiguration on the AAA server or wrong user credentials.

Activity: AAA Failed Auth - Top Users
This report ranks the users based on failed AAA authentications. This report covers the following cases: regular AAA auth, 802.1x auth, L2 IP and L3 IP auth, L2 802.1x auth. An authentication may fail because of policy misconfiguration on the AAA server or wrong user credentials.

Read more »

MARS: Network Tripwire - 101

April 22, 2007 - Priveon Labs posts a new Cisco Security MARS series document detailing how to leverage the features of the Cisco MARS along with information gathered from network reporting devices to create a tripwire mechanism that can help identify and alert on malware and internal malicious network activity.

Priveon Labs Research Documents