Wednesday, March 14, 2007

Why SIM's are cool

One of the things I've wanted to blog on - and one of the things I want this blog to sort of 'be about' - is the technical and operational sides of SIM systems. So instead of coming up with a big idea article on SIM and why it's cool, I'll give you an example from today that made my day.

At work, our security team uses a SIM to do lots of things, and one of the more important ones is incident response and investigation. Today I was watching events from McAfee ePO and stumbled across the following event:

Name: 'JavaScript security violation detected and blocked'
Destination Address: XX.XX.36.92
File Name: 'Script executed by IEXPLORE.EXE'
String1: 'JS/Exploit-BO.gen'
String2: 'trojan'

This is a detect/block message for a generic JavaScript exploit that was detected while the user was in Internet Explorer. There's no good way to tell what was actually going on here. The possibility is that there was exploit code there and that it was blocked. There is also the possibility that there was other exploit code present that was not blocked. So I searched for firewall events using this filter:

((source_address = "XX.XX.36.92") AND
((request_url EndsWith ".js") OR
(request_url EndsWith ".htm") OR
(request_url EndsWith ".html")))

(Note: I did not have to type this all out. It was a short series of mouse clicks in the SIM GUI.)

And it took no time at all to find the firewall log event I was looking for:

Name: accept
Source Address: XX.XX.36.92
Destination Address: XX.XX.121.99
Request Url: http://XX.XX.121.99:80/incs/sfhover.js

So, it took less than 2 minutes to track back to a URL and get a look at the JavaScript code. Fire up a shell and:

$ wget http://XX.XX.121.99:80/incs/sfhover.js
--13:12:40-- http://XX.XX.121.99/incs/sfhover.js
=> `sfhover.js'
Connecting to XX.XX.121.99:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 751 [application/x-javascript]

100%[====================================>] 751 --.--K/s

13:12:40 (4.75 MB/s) - `sfhover.js' saved [751/751]
$ cat sfhover.js
for (var i=0; i
elemsArray[e][i].onmouseover=function() {
this.className+=" sfhover";


It was an onmouseover call that set McAfee off, and in this case, it's benign. Two minutes to run down a possible exploit with code and get back to work. Sorry, but that's just cool.

No comments: