Web Gateway Provides Zero Hour Protection

In these times of increasing zero day exploits such as ‘Operation Aurora’ organizations need to rely on security solutions that offer multiple layers of protection in order to have “Zero Hour” protection. As attacks become increasingly complex and use a variety of delivery methods and protocols, layers of protection will continue to be the most effective approach. Two of the numerous protection mechanisms available in the McAfee Web Gateway were able to provide “Zero Hour” protection during the Aurora malware attack.  This blog post describes the attack and how McAfee Web Gateway (formerly Webwasher) provided zero hour protection against Aurora.  

In the Aurora case, the user was enticed to visit a page that redirected, invisible to the end user, to a page that resulted in download of a Trojan which is used for infection of the host.  

The attackers were astute enough to name this Trojan ‘ad.jpg’ (JPEG image file) as this content type or file extension will not be blocked by most organizations’ perimeter or web gateway, ensuring the masked Trojan would bypass this level of filtering if based on filename validation only. 

Next generation Web gateway solutions, such as McAfee Web Gateway (MWG), analyze the content in conjunction with the advertised filename, making evasion extremely difficult.  Files that attempt to load in an end users browser by masquerading as something they are not are instantly blocked by McAfee Web Gateway.  It was this proactive protection by MWG  that stopped Aurora at “Zero Hour”.

Details:

 A solution that enforces content and protocol validation at the gateway can also be very effective in protecting organizations with infected hosts already inside the organization’s network. 

In the Aurora attack, the Trojan has full remote control functionality, and again the attacker was astute enough to select a port that would likely be available outbound from the corporate network.  In the Aurora case this was port 443, the port used for SSL encrypted HTTP communication. 

An excellent write-up of the protocol and behavior of the Trojan can be found here.

Although the Trojan is using the correct port for HTTP over SSL communication, the actual data transferred is not legitimate HTTP over SSL traffic. A Web Gateway inspecting and enforcing SSL traffic (such as McAfee Web Gateway) will block this traffic if it does not conform, disconnecting the infected host from its command and control host.  This is the second way that MWG provided “Zero Hour” protection: stopping the infected host from communicating with its command and control structure.

Tags: Network Security, Operation Aurora