Coin Miner Product Countermeasures

Transcription

1 Coin Miner Product Countermeasures Patch critical vulnerabilities Malware authors continue to leverage old vulnerabilities targeting unpatched systems. Most commonly today, we see EternalBlue leveraged to aid in propagation. EternalBlue is the name given to a vulnerability in the Microsoft SMBv1 file sharing protocol, also known as MS This vulnerability is most often referenced alongside WannaCry. Microsoft has released a patch to resolve the vulnerability which can be found at Please note that this patch does require a reboot to apply. Protection at the gateway Stopping files based on type, (when feasible to an organization s workflow,) can be very effective in preventing the delivery of malware to the end-user. We most often see the following types delivered either by or by Web: DOC\DOCX, XLS\XLS, JS, PS1, EXE, VBS, ZIP, BAT, SWF, SCR, CAB, RAR, EGG, PDF Note: If DOC\XLS are not able to be blocked due to company policies, files containing macros can be block at various Gateway solutions as well Based on field observations and labs intelligence, we have noted the following traffic in relation to Coin Miners: Additionally see: McAfee Labs Threat Advisory: JS/Miner stratum+tcp://pool.supportxmr.com:80 stratum+tcp://mine.xmrpool.net:80 stratum+tcp://pool.minemonero.pro:80 stratum+tcp://xmr.crypto-pool.fr:80 stratum+tcp://mine.moneropool.com:3333 hxxps://monerohash.com:3333 hxxps://coinhive.com:80 node.jhshxbv.com node2.jhshxbv.com node3.jhshxbv.com node4.jhshxbv.com : Protection at the endpoint McAfee Endpoint Protection products offer an array of features that can be utilized to stop malware based on behavioral characteristics, as opposed to relying solely on DATs. NOTE: Prior to implementing the recommendations below, it is essential that the rules are tested thoroughly to ensure their integrity and also that no legitimate application, in-house developed or otherwise, is deemed malicious and prevented from functioning in your production environment. The rules suggested can be set in report-only mode for testing purposes in order to check if they cause any conflict in your environment. Once it is determined that they will not block any activity from legitimate applications, you can set them to block and apply these settings to all relevant systems. Use GTI file reputation to identify trusted or malicious files Endpoint Security 10.5 Access Protection: Default Rule: Rule: Executing scripts by Windows script host (CScript.exe or Wscript.exe) from common user folders Rule: Running files from common user folders Rule: Creating new executable files in the Windows folder

2 Endpoint Security 10.5 Access Protection: Custom Rules Custom Rule1: Executable1: File Name or Path: powershell.exe SubRule1: Operations: Execute Target1: File, folder name, or file path: cmd.exe

3 SubRule2: Operations: Execute Target2: File, folder name, or file path: mshta.exe SubRule3: Operations: Execute Target3: File, folder name, or file path: SchTasks.exe

4 Custom Rule2: Executable1: File Name or Path: cmd.exe SubRule1: Operations: Execute Target1: File, folder name, or file path: mshta.exe

5 SubRule2: Operations: Execute Target2: File, folder name, or file path: SchTasks.exe

6 Custom Rule3: Executable1: File Name or Path:?scrpt.exe (More aggressive is * as a single executable Executable2-4 moot) Executable2: File Name or Path: powershell.exe Executable3: File Name or Path: iexplorer.exe Executabl4: File Name or Path: cmd.exe **NOTE** Example rule depicts the more aggressive approach

7 SubRule1: Operations: Create & Execute Target1: File, folder name, or file path:?:\users\*\appdata\local\temp\*.exe (More aggressive?:\users\*\*.exe) **NOTE** Example rule depicts the more aggressive approach SubRule2: Operations: Create & Execute Target1: File, folder name, or file path:?:\programdata\*\*.exe **NOTE** CustomRule3 can also be modified to add VBS, DLL, BAT, JS and PS1 Endpoint Security Dynamic Application Containment: Rule: Creating files with the.exe extension Rule: Executing any child process Rule: Modifying startup registry locations Rule: Modifying files with the.vbs extension Rule: Creating files with the.vbs extension Rule: Modifying the Services registry location Rule: Modifying user policies Rule: Modifying files with the.bat extension Rule: Creating files with the.bat extension Rule: Modifying the hidden attribute bit **NOTE* for DAC Best Practices please visit KB Similar to AP Rules, All DAC Rules should be tested, to prevent interruption VirusScan Enterprise 8.8 Access Protection: Default Rules Rule: Anti-spyware Maximum Protection: Prevent execution of scripts from the Temp folder Rule: Anti-virus Maximum Protection: Prevent svchost executing non-windows executables Rule: Common Maximum Protection: Prevent creation of new executable files in the Windows folder

8 VirusScan Enterprise Access Protection: Custom Rules Rule Type: File/Folder Blocking Rule Process to include: powershell.exe File or folder name to block: cmd.exe File actions to prevent: Execute Rule Type: File/Folder Blocking Rule Process to include: powershell.exe File or folder name to block: mshta.exe File actions to prevent: Execute

9 Rule Type: File/Folder Blocking Rule Process to include: powershell.exe File or folder name to block: schtasks.exe File actions to prevent: Execute Rule Type: File/Folder Blocking Rule Process to include: cmd.exe File or folder name to block: mshta.exe File actions to prevent: Execute

10 Rule Type: File/Folder Blocking Rule Process to include: cmd.exe File or folder name to block: schtasks.exe File actions to prevent: Execute Rule Type: File/Folder Blocking Rule Process to include:?scrpt.exe, powershell.exe, iexplore.exe, cmd.exe (More aggressive is *) File or folder name to block: *\users\*\appdata\local\temp\*.exe (More aggressive *\users\*\*.exe) File actions to prevent: Create & Execute **NOTE** Example rule depicts the more aggressive approach

11 Rule Type: File/Folder Blocking Rule Process to include:?scrpt.exe, powershell.exe, iexplore.exe, cmd.exe (More aggressive is *) File or folder name to block: *\programdata\*\*.exe File actions to prevent: Create & Execute **NOTE** Custom Rule for folder/file paths can also be modified to add VBS, DLL, BAT, JS and PS1 ENS Exploit Prevention\HIPs Signatures: 6070: Hidden Powershell Detected 6086: Powershell Command Restriction Command 6087: Powershell Command Restriction EncodedCommand 6096: Powershell Command Restriction InvokeExpression 6081: Powershell Command Restriction NoProfile 6083: Powershell Command Restriction NonInteractive 6108: Powershell - Suspicious downloadstring script execution 6109: Powershell - Suspicious wmi script execution HIPs Signature: 1148: CMD Tool Access by a Network Aware Application 6010: Generic Application Hooking Protection 6011: Generic Application Invocation Protection