Version 1 / October 27, 2010
We're maintaining a list of guidelines for administrators who want to protect their computers and networks from binary planting attacks.
If you're an administrator of Windows systems or networks with Windows computers, please come back regularly or follow us on Twitter to stay updated on these best practices.
- Disable the WebClient service on Windows computers. Unless your users need the WebClient service (e.g., for SharePoint Portal) you should stop and disable it. This will prevent Internet-based attacks using WebDAV HTTP extension for getting through your Internet firewall. If some users need this service, consider disabling it for the rest of your users.
- Install Microsoft's CWDIllegalInDllSearch hotfix. Install the CWDIllegalInDllSearch hotfix and first set the global CWDIllegalInDllSearch registry value to 2 (you can do this with Microsoft's FixIt tool). This will prevent Windows applications from loading DLLs from current working directories on shared folders, but will still allow them to load DLLs from local current working directories. From our experience, most applications will work well with this setting. Then, experiment with setting the global CWDIllegalInDllSearch registry value to 0xFFFFFFFF, which eliminates the current working directory frem the search order entirely. This will likely break some of your applications, but you can override the global setting for them by individually setting their own CWDIllegalInDllSearch registry value to 2. (Make sure to contact developers of these applications and ask them to fix the way they're loading their DLLs.)
- Deploy Windows Software Restriction Policy or Windows AppLocker. It is a very good idea to prevent execution of unwanted binaries on Windows systems in general, whether to prevent users from running unauthorized programs or to prevent malware to run on your computers. Windows Vista and earlier systems feature the Windows Software Restriction Policy which allows you to define various rules for executing binaries for Windows users. Windows 7 and Windows Server 2008 come with Windows AppLocker, which provides a more fine-grained configuration. In order for these tools to protect against binary planting attacks, it is important to (1) enable them for all users (not just non-admins), (2) allow loading of binaries only from trusted locations such as system folders and "Program Files" and (3) include checking of DLLs (default policies only check for programs, not libraries).
- Use a security product that detects unknown/modified binaries. Use a personal firewall, antivirus suite or some other product that detects loading of unknown or modified executables or libraries and prevents their execution.
- Have your Windows environment profesionally analyzed for binary planting vulnerabilities. Our binary planting research has identified hundreds of binary planting issues in various Windows applications, including some that come with the operating system. This means that at this moment, every Windows computer can be broken into using any one of these bugs. When you consider the additional binary planting bugs present in your other software (custom-made software included), there may be hundreds of bugs on every Windows computer. If you're running a security-critical business, have your Windows environment analyzed for binary planting issues by qualified experts with lots of experience. Don't expect free public tools like DllHijackAuditor or Process Monitor to adequately find all binary planting issues on your systems. The extensive binary planting research project conducted by ACROS Security makes us undoubtedly the world's most qualified experts on this subject.
- Block outbound SMB connections on your Internet firewall. Make sure your Internet firewall doesn't allow outbound SMB connections from internal networks to Internet. TCP and UDP connections to ports 137, 138, 139 and 445 on external addresses should be blocked.
- Block outbound WebDAV communication on your Internet firewall. Make sure your Internet firewall doesn't allow outbound WebDAV communication from internal networks to Internet. At a minimum, HTTP method PROPFIND should be disallowed.
- Limit internal SMB and WebDAV communication as much as you can. If your networks are segregated, make sure that no unneeded SMB and WebDAV traffic can pass through the boundaries.
- Restrict write access to shared folders in your network. Planting a malicious binary next to data files on internal network shares is one of the most likely attack vectors for internal attackers. This method requires no social engineering and the attacker only has to wait for users to open files from these "planted" shares (which executes her malicious binary on their computers). This attack vector can be limited by restricting write access on shares to a minimum number of users (individually for each share).
Guidelines for Developers
...to get immediate updates as we reveal our research.