« A physical winter weekend | Main | SMB Share enumeration, write testing »

Windows Security: Red light district

Over the past week or so I've had the... how should I put this... privilege of having to focus almost entirely on Windows security.

I'm a diverse kind of guy, but every time I get my hands on a Windows box or watch someone else use one, I'm angry within a minute or two. I used to be a bigot, but now I'm more of the mindset of "whatever floats your boat", but christ, Windows just irritates the everloving crap out of me. If I see one more person start->run cmd.exe and type out the entire command every single time, I think I'm going to hurl. TAB COMPLETION, PEOPLE.

Anyway, there is this feeling at work that the rate of compromises on our Windows network has been increasing. In fact, it really hasn't been increasing, but rather the visibility into the situation has vastly improved, so we are seeing more compromises. Prior to now, we just were not aware of the compromises for various reasons that I won't get into here.

Typically, I learn of a compromise through a number of different channels -- the IDS wigging out because of outbound IRC connections to port 80 for a remote command and control ("C&C"), our various netblocks getting blacklisted, HR complaining about viagra/penis spam, or some random, clunky old laptop having "network issues". Our policy is a stern "wipe and reinstall", which I've grown to love. The amount of forensics I typically do on a compromised Windows system is usually minimal if the system shows signs of neglect -- Windows auto-update off, IE as the default browser, or non-existent or outdate anti-virus defintions. Every so often we get a machine that I expected to be reasonably secure, but it still gets whacked. In that case I typically do some investigation, but over time the ROI starts to tail off and I stop.

This may sound overly paranoid, but I assume that every Windows machine that I do not personally maintain to be compromised in some way, oftentimes the worst way possible -- keylogger, screen-scraper, and C&C backdoor. When I find myself doing some work on a compromised machine, which seems to happen at least once per day lately, it feels like I'm a crime scene investigator walking into a run down old factory -- the windows smashed in an odd pattern, skillful tagging everywhere, a pile of feces in the far corner, a bent heroin needle sticking out from under a fluid stained mattress, rats scurrying everywhere, and hoarse voices echoing in the distance. Not only has a some bad shit gone down here, but a lot of bad shit. I don't even know where to begin, and its generally not even worth figuring it out. Wipe. Reinstall. Reprimand user.


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

About

Jon Hart
Name: Jon Hart

Location: Hiding between the smog and the Pacific

Occupation: Security Ninja, Thrill Seeker.

Categories