Threat Level: green Handler on Duty: Russ McRee

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tip of the Day - Backup and Backup Management for Home or Small Business Users

Published: 2006-08-12
Last Updated: 2006-08-13 04:04:43 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
As home or small business users, do you back up your data regularly? If no, why not? Too troublesome? No idea how to do it? Or simply what is backup?

To back up data is simply making additional copy of the data which may be restored if the originals are damaged or lost.

Why do you need to back up your data?
This is important as data will be lost if your hard disk crashes. Consider yourself lucky if you have not experienced this before. Even if the hard disk is not crashed, data could still be lost due to loss/theft of laptop or data corruption (accidentally or cause by malware or ransomware).

Here we are not covering how to manage backup for large enterprise because it can get quite complex, so we will just focus on home and small business users.

There are basically three types of backup:
* Full backup: All data is backed up.
* Differential backup: back up the files that have been modified since the last full backup.
* Incremental backup: back up all the files that have changed since the last full or incremental backup.

What to backup?
Of course is your data, especially those that you created/authored. For applications, you can still install them back, but you will be freaky frustrated if you lost your own documents. If you have no backup storage issue, you can backup everything. But important is to ensure your own data is back up first.
 
One point that you need to consider is the protection of the media that contains your backup data. If the backup data is sensitive, you may want to consider encrypt them. Otherwise, ensure you have a good physical protection for your backup media.

How to back up?
For windows users, the easiest is to just copy out your data to another physical media. A neat way to do this is to create one folder that stores all your data. You then just need to copy out the whole folder as your backup. Windows also comes with a Backup tool which you can consider:

Start > All Programs > Accessories > System Tools > Backup

For Unix, you can consider using tar, dump or dd as your backup means. Each has its pros and cons. If you just want to back up your data, one simple way is to use tar to copy your data out. For example,

cd to your mydata directory (assuming mydata directory contains your data)
tar -cf mydata.tar mydata

Where to back up?
Note that the backup data must be on a different physical media. If you have two drives (C: and D:) but both are on the same physical disk (in simple word, you have only one hard disk), back up (or copy) your data from one drive (say C: Drive) to another drive (say D: drive) is not considered as backup, since all your data will still be lost if your single hard disk crashed.

The backup media could be:
* Another separate hard disk (but beware this hard disk could be crashed too)
* CD-R, CD-RW
* DVD-R, DVD-RW
* Magnetic tape (more for small business than home users)

For small business users, you may want to consider offsite storage for your backup media. This is particular important as part of your disaster recovery plan.

How frequent should you backup your data?
It depends. If your data changes frequently, you should consider weekly backup (or even daily backup). Otherwise, monthly backup is a good start.

Backup data is useless if you don't know or can't restore them. Recovery is as important as back up. You should test out and verify that you are able to restore your backup data on a regular basis.

Lastly don't forget to document on what, how and where you backup your data. It is useless if you forget how and where you have stored your data and not able to retrieve your data when you need them most.

Besides achieving the purpose of availability (of your data), backup data could also be used as a form of regaining/checking the integrity of your data.

Earlier, one of our readers (James) has sent us his tip on backup to address the integrity of the systems/data:

I had a network environment that challenged just about any tools by the sheer number of web servers, domains, subnets and administrative passwords.  Not all systems had anti-virus, and the ones that did have it could not always communicate back to let us know what it found.

But one thing we did have was a common backup architecture to make sure no data was ever lost.  This turned into an excellent way to perform analysis for artifact files across the environment by searching the index files for files that are known artifacts of compromises.  We were also able to use it to check that system installations met build standards regarding directory structures.

Many companies have full system backup capabilities long before they have full systems management capabilities through agent-based management and/or AV.  The back up system index files are a resource in understanding the systems on the network.

If you have any additional tips on this topic that you like to share, please send them to us.

Update: Tips from our readers.

Note: Usual disclaimers apply.

1) Cobian Backup for Windows
Further to the advice on backups for home users/small businesses, I can recommend a Windows "beggarware" (make a donation if you like it to encourage further development) utility called Cobian Backup that knocks spots off Microsoft's Backup.  It is simple to configure automatic, regular full, incremental or differential backups on a single machine, plus it works over the network i.e. each of the machines on the office LAN can backup to a single machine, and from there I can backup to separate media (USB hard drives, USB memory sticks, CDs and/or DVDs in my case).  See www.cobian.se for info.

2) Rsync for Unix (from our reader Ned)
In addition to the unix backup options you mention, I'm a huge fan of rsync for incremental backups. Despite being primarily designed to sync remote directories on the net, it also works great for syncing directories on the local machine or remote clients if their directories are mounted. For example, even Windows clients may be smb mounted on a *nix server and incrementaly backed up in this manner, and the whole process automated in a cron job.

Keywords: ToD
0 comment(s)

*MS06-040 exploit in the wild

Published: 2006-08-13
Last Updated: 2006-08-13 17:57:47 UTC
by Swa Frantzen (Version: 7)
0 comment(s)
We have caught a live exploit against a Windows 2000 Server. The pcap packets of the exploit fire the signatures in snort for the vulnerability described in MS06-040.

We have multiple independent sources of reports at this time.

It looks like it's building a botnet (as we expected).
Signs defenders should look for:
  • Filename: wgareg.exe, MD5: 9928a1e6601cf00d0b7826d13fb556f0 (this is the bot)
  • Incoming traffic on 445/TCP but there is a lot of background noise on that port.
  • Snort signatures firing on:
    • BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)  [Bleedingsnort]
    • NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian overflow attempt [Sourcefire VRT]
  • Outgoing traffic to bniu.househot.com:18067 (Command and Control center, multiple IPs, IRC)
  • Outgoing traffic to ypgw.wallloan.com:18067 [we haven't seen those ourselves but do have multiple independent sources confirming it]
  • Outgoing traffic to port 445/TCP (scanning for victims and exploiting them)
Since this is a botnet, these bots might do much more depending on what the controller has in store for them. So unfortunately you basically only have the choice to clean them by wiping the disk if you ever want to trust the machines again.

Please do not ask for samples at this point.
We have shared it with the usual anti-virus vendors already.

Should you find other activity of these bots or differing MD5, we would very much appreciate a copy at the contact page.

We ran the bot through virustotal:
Scan results
 File: wgareg.exe
 Date: 08/13/2006 03:03:43 (CET)
----
AntiVir 6.35.1.0/20060812       found [HEUR/Crypted.Layered]
Authentium      4.93.8/20060812 found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
Avast   4.7.844.0/20060810      found nothing
AVG     386/20060811    found nothing
BitDefender     7.2/20060813    found [Generic.Malware.IXdld.658BDD6B]
CAT-QuickHeal   8.00/20060812   found [(Suspicious) - DNAScan]
ClamAV  devel-20060426/20060813 found nothing
DrWeb    4.33/20060812  found nothing
eTrust-InoculateIT      23.72.94/20060812       found nothing
eTrust-Vet      30.3.3012/20060811      found nothing
Ewido   4.0/20060812    found nothing
Fortinet        2.77.0.0/20060812       found nothing
F-Prot  3.16f/20060811  found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
F-Prot4 4.2.1.29/20060811       found [W32/Threat-HLLIM-based!Maximus]
Ikarus  0.2.65.0/20060811       found nothing
Kaspersky       4.0.2.24/20060813       found nothing
McAfee  4827/20060811   found nothing
Microsoft       1.1508/20060804 found nothing
NOD32v2 1.1704/20060811 found [a variant of Win32/IRCBot.OO]
Norman  5.90.23/20060811        found [W32/Suspicious_M.gen]
Panda   9.0.0.4/20060812        found [Suspicious file]
Sophos  4.08.0/20060812 found nothing
Symantec        8.0/20060813    found nothing
TheHacker       5.9.8.190/20060810      found nothing
UNA     1.83/20060811   found nothing
VBA32   3.11.0/20060811 found nothing
VirusBuster     4.3.7:9/20060812        found nothing
wgareg.exe messes in the windows registry. One of the things it adds is a description of itself: "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.". Right ... It also appears to change settings related to firewalls and sharing.

LURHQ has also a story on the same by Joe Stewart and they also found a variant of the binary with a different MD5 and slightly different behaviour.

Thanks to all involved: William, Jim, Scott, Dan and all those I forgot.

--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)

Public release of exploits against the windows help system

Published: 2006-08-12
Last Updated: 2006-08-12 22:06:15 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
We've received reports of a public release of exploits against the windows help system.

The exploits use *.hlp files. The best advise at this point it to block those at perimeters and to never trust them otherwise.

Please note that a few days ago Microsoft released patches for the HTML help system: MS06-046. But they don't seem to have anything to do with this.

--
Swa Frantzen -- Section 66

Keywords:
0 comment(s)

SquirrelMail 1.4.8 released

Published: 2006-08-12
Last Updated: 2006-08-12 20:40:52 UTC
by Jim Clausing (Version: 1)
0 comment(s)
A new version of squirrelmail was released yesterday.  The announcement at http://www.squirrelmail.org says that it contains a security fix to a vulnerability announced last week.  So, if you're running squirrelmail, you probably should apply this upgrade.
Keywords:
0 comment(s)
Diary Archives