Written by Patrick Kaak
Translation & editing, Max Ranzau.
Editors note: This article is an english translation of Patrick's original Dutch article, available here. If my translation leaves room for improvement (80% Google, 20% guesswork :), feel free to comment.
Recently, the Netherlands and the rest of the world has been under the spell of a nasty piece of viral code, spreading quickly, causing damage to office documents. This virus is called xDocCrypt / Dorifel. Most virus scanners did not have the signature of the virus in time, hence there's already quite an outbreak on the loose. Most are however updated at this point
The xDocCrypt virus does not infect a computer in the usual manner. Normally, a virus enters a system via infected external drives, via downloaded files or arrives by mail. In the case of xDocCrypt, the virus is downloaded and installed by existing malware (Citadel / Zeus) which already is on the computer. This software is already sitting dormant on the machine, routinely connecting to a server hosted by it's creator, waiting for orders. The order in this case is downloading a virus, which once active will start infecting documents. It appears the malware payload now includes a new virus (Hermes), which can cause even more damage as it focusses on obtaining bank details.
As virus scanners may be slow to learn and intercept the virus, the question must be asked. Is there a way to prevent this from happening preemtively?. Our answer to this is that you can never prevented 100% off all attacks but you can sure make it very difficult by means of a good Workspace Management security solution.
If we look at Microsoft Windows itself, we already have an option to block the virus from starting by using the AppLocker feature in Windows Vista, 2008 or higher to protect against the execution of unknown binaries. RES Workspace Manager provides a similar yet much more flexible feature, which blocks the launch of executables that the user has no rights to, or that are unknown in the system. Configuring things like this usually would take a lot of time as you specify exeptions on a whitelist of allowed executables. Fortunately RES Workspace Manager has the ability to quickly learn what the user should be allowed to execute. In addition to these learned authorizations, the executables for the managed apps assigned to a given user, are automatically authorized by WM for only that user. Another advantage of the Workspace Manager, is that a user can launch applications which normally requires administrative privledges.
Additionally the RES Workspace Manager can log any executables being blocked. These logs can be forwarded to any administrator or security officer via email or SNMP through the Workspace Manager Alerting feature (available in the Advanced Administration module, Ed.). This is a great way to detect the initialization of the Citadel / Zeus malware, as these will be unknown executables.
Besides Application Security, RES Workspace Manager also has a Network Security feature. This feature makes it possible to white- or blacklist individual executable's TCP/UDP access to given IP ranges. If you chose a whitelist approach and the virus was already present on your network, it would never get any access to the outside world, being blocked by the Workspace Manager. Alternatively, knowing the servers where the virus downloads from, one could also employ a blacklisting scheme to block any traffic to/from those sites.
Finally, the Read-Only Blanketing security feature in RES Workspace Manager provides a good protection against writing to the local disks. This ensures that unauthorized processes/applications can't deposit any kind of data payload on for example the system drive. Read-Only Blanketing will per design not protect the following paths:
- The Recycle Bin on each local drive (so user's actually can delete files)
- %allusersprofile% and %userprofile (where %appdata% resides per default)
- Tmp and temp locations (user processes may write data here)
- Spool directory (if write permissions were removed here, users couldn't print)Debug\usermode in Windows folder
- The server console
However, in the case of the malware discussed here, this feature will not be able to protect you as the malware stores it's payload under %appdata%. Since the virus lives in the user's profile, there is something to be said about how you handle your profile. If you use the combination of a Mandatory Profile with RES Workspace Manager's User Settings feature, you can explicitly specify what is to be retained when the session is ended and the profile and it's contens (including the virus) are henceforth destroyed. That would not be the case with default configured roaming profiles.
The above features RES Workspace Manager are suggested to work with the advice given by the Dutch National Cyber Security Center of the Ministry of Security and Justice. The configuration of any Workspace solution, however, is not just something you do in a few minutes without knowing what you're doing. For more information, please visit my company at Centric.eu. There you can also read more about how to resolve the damage caused by the virus, specifically what ports and hosts to block.
Closing note: While RES Software has never intended nor marketed the Workspace Manager product as an antivirus solution, it is self-evident from the examples above that the 6 current security subsystems may be employed to take a huge bite out of the looming threats of malware, spyware and vira floating around out there. As they say; an ounce of prevention is worth two pounds of cure. While we're at it, you might also want to have a look at the RESguru article here, which discusses working with the RES Workspace Manager's security model.