Being a father of four with my oldest already at the age where he needs to use the computer I started asking myself do I have the ideal setup? And the answer was not really. Don’t get me wrong I have a PF sense firewall and a few other protections in place however I wanted to build a solution from the ground up instead of just installing a bunch of  packages on my firewall and not really understanding whats going on in the back end.

My proposed solution is to have a system that caches and scans web traffic for viruses as well as preform some sort of content filtering  based on various detection methods (phrase matching, PICS filtering and URL filtering etc) and most importantly the solution must be **FREE** to implement. I am sure the are other solutions in place that does a better job than the one I have outlined and by all means feel free to comment or email me.

Tools I plan on using:

• FreeBSD 8.1
• ClamAV
• Squid
• Dansguardian
• Privoxy
• HAVP

FreeBSD: If you are going to choose an OS I would suggest BSD, because in my opinion its one of the most secure and well build system out there.

ClamAV: Is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates.

Squid: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages.

Dansguardian: Is an award winning Open Source web content filter which currently runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. It does not purely filter based on a banned list of sites like lesser totally commercial filters.

Privoxy: Is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes.

HAVP (HTTP AntiVirus proxy): is a proxy with an anti-virus filter. It does not cache or filter content.

Setup Phase

The first thing you need to do before you start installing your apps is to make sure you set a static address up on your BSD box, in my case I have freeBSD 8.1:

vi /etc/rc.conf and add the following lines, my gateway was 192.168.1.1 and IP 192.168.1.5

defaultroute=”192.168.1.1″
hostname=”bsdsrvr.infolookup.com”
ifconfig_le0=”192.168.1.5 netmask 255.255.255.0″
inetd_enable=”YES”

I would also run freebsd-update fetch and  freebsd-update install since it never hurts to have an updated repo. Now this is as far as I will go with this post, in my next post I will go through the install, config and testing. Comments and suggestions are always welcome.

–Sherwyn AKA Infolookup

References

http://www.br.freebsd.org/where.html

http://www.clamav.net/lang/en/

http://www.server-side.de/

http://www.privoxy.org/

http://wiki.linuxmce.org/index.php/Installing_Dansguardian

http://www.mustnofee.com/tutorials/37-tutorials/67-setting-up-squid-on-freebsd

http://bsdmag.org/

http://www.squid-cache.org/

What are ADS or Alternative data streams?

Alternate data streams allow more than one data stream to be associated with a filename, using the filename format “filename:streamname” (e.g., “text.txt:extrastream”). Alternate streams are not listed in Windows Explorer, and their size is not included in the file’s size. Only the main stream of a file is preserved when it is copied to a FAT-formatted USB drive, attached to an e-mail, or uploaded to a website. As a result, using alternate streams for critical data may cause problems.


Why you should care about ADS?

One reason you should care is even though this has been around for quite some time now its still has a very high rate of success when implemented in a piece of malware. The ability to hide behind a know system file without changing the file size can be very deceiving.


Another important reason as stated by http://www.rootkitanalytics.com/, is due to this hidden nature of ADS, hackers have been exploiting this method to secretly store their Rootkit components on the compromised system without being detected. For example, the infamous Rootkit named ‘Mailbot.AZ’ aka ‘Backdoor.Rustock.A’ used to hide its driver file into system32 folder (C:\Windows\system32) as a stream ’18467′.


Below is a brief illustration of what this looks like:

Now before you start worrying yourself there is hope on the horizon thanks to tools like “StreamArmor” .


What is Stream Armor you might ask?


StreamArmor is the sophisticated tool for discovering hidden alternate data streams (ADS) as well as clean them completely from the system. It’s advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams. StreamArmor comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams.


Or as I prefer to call it, the first step in the first direction… Don’t get me wrong the are other great tools out there like streams from Microsoft or Gmer but after using StreamArmor recently I don’t see how I could go back to those tools.


I decided to see how  StreamArmor would performs when compared to  two of their competitors (Streams and Gmer ). I created several ADS samples and split them up into  two folders on my C drive, then scanned both folders with each program twice.


My sample streams included the following:

• 12 streams in total
• I placed various files (exe, png, and avi)  behind a few .txt, .doc, bmp and .pub documents.
• I then encrypted one of those files, zipped two of them (one with Windows 7 build in compression and the other with winrar).

Gmer scan results: 5 out of 12

StreamArmor results: 9 out of 12

In the end both StreamArmor and MS Streams found 9 out of 12, none of them found the ADS that were zipped or the one that was encrypted (not that I expected the encrypted files to be discovered). At this point I am as confident as when I started writing this post “StreamArmor is my preferred choice”. The ability to export great reports, easy to do run customize scans, and overall the results are not difficult to interpret.

For more further reading and examples visit the below links:

http://www.auscert.org.au/render.html?it=7967

http://www.irongeek.com/i.php?page=security/altds

http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx

http://www.gmer.net/

http://www.rootkitanalytics.com/tools/streamarmor.php

The is a guest post courtesy of Matt Burian an IT Consultan, you can find out more about him over at www.burianit.com.

Something I found while trying to find a way to update MicrosoftSecurity Essentials automatically on my home testing domain. Some command line parameters for working with MSE:

http://www.winhelponline.com/blog/updating-microsoft-security-essentials-using-command-line/

Especially useful is this line:

“%ProgramFiles%\Microsoft Security Essentials\MpCmdRun.exe” -SignatureUpdate

This is used to update the MSE definition files. I have automatic windows updatesdisabled on my client machines, so I push this command in a login
script via group policy, and know that my definition files are up to date on all machines every time a user logs in.

Obviously, this is just for my personal windows domain, and would not be appropriate for a real business or enterprise environment as MSE is designed for homeuse, and provides no management features.

However this could still be useful if you wish to disable windows automatic updates, and still update your MSE definitions, either on a network, or just a local machine by running this command at startup of the machine.

While analyzing an infected machine today I retrieved a sample that needed further analysis. I would normally start by scanning these files with my Anti-virus software,however since the Anti-virus was disabled by the virus that wouldn’t have been too helpful. I currently don’t have a test lab to analyze these samples so the following services below came in handy.

Some of them are only capable of analyzing potentially infected files, while others can also analyze a URL. The reports are pretty details and saved me a lot of time.

http://scanner.novirusthanks.org/ (file scanner and URL scanner)

http://www.virustotal.com (file scanner)

http://anubis.iseclab.org/ (file scanner and URL scanner)

http://virusscan.jotti.org/ (file scanner)

http://filterbit.com/ (file scanner)

http://camas.comodo.com/ (file scanner)

http://www.cwsandbox.org/?page=submit (file scanner)

http://eureka.cyber-ta.org/ (file scanner)

http://www.joebox.org/submit.php (file scanner and URL scanner)

http://www.norman.com/security_center/security_tools/submit_file/en (file scanner)

http://www.threatexpert.com/submit.aspx (file scanner)

http://xandora.security.net.my/?page_id=332 (file scanner)