Malware trends change over time and so do the methods of attack. Once upon a time the trend was to build a malicious site, jam it full of exploit code and entice an unsuspecting user on to your site. Reputation checks and black listing of sites has largely reduced the effectiveness and prevalence of this strategy. A nice work around to this is to simply find a site with a good reputation, compromise it and use this as your multi-warhead exploit site. The bonuses are that you do not need to provide content or users.
This trend has been on the increase to the point where in 2011:
Sophos saw an average of 19 000 new malicious URLs every day. That’s one every 4.5 seconds. 80% of the malicious URLs we found are legitimate websites hacked by cybercriminals.
Protect and Alert
The proposed answer to all of this is to use multiple layers of security to protect users. Forefront TMG 2010’s URL Filtering and Malware Scanning provides these layers. You generally do not know how much it does for you unless you go and check the logs and reports. If you are reviewing this monthly or even weekly you are simply looking at a ship that has long since sailed.
TMG Reporter’s dashboard provides a real-time view of these Malware Events and allows you to pull reports immediately.
TMG Reporter also has the capability of sending email alerts based on these events. These alerts can be customised to provide the right level of detail to enable you or support engineers to take any action if it is required.
The reason this is important is because users will stop if they get a warning and wrapped over the knuckles. If a user in a browser session tries to download an infected file they receive this warning.
If a user sees this they are most likely to stop what they are doing. Unfortunately users would most likely never see this as the malicious code is generally hidden. The page would load just fine, and Forefront TMG effectively blocks the file from being transferred to the user.
Other than the file and the site involved, the other potentially important piece of information from an administration perspective is the Application doing the web call. If this is something other than a browser it could indicate active malware on a client machine attempting to connect to a command and control server.
Configuring Malware Alerts
TMG Reporter comes with a predefined Malware alert. Lets start with this alert and make some customizations to obtain some more detail about malware threats as they occur.
- Select the Settings tab on the TMG Reporter Site
- Select Alerts
- Check the box next to Threat Detected – Malware
- Select Edit Alert from the Top Right hand corner
No Changes are required on this screen but let’s go through the fields and explain why they are there.
The Record Type = Web means that only proxy logs are checked for this, it is the only place where Malware will be flagged so this must stay as is.
The Threat Name field is set to Not equal “–” or “nothing.” Log entries of files that are scanned and cleared by Forefront TMG are not populated with a value so anything other than those two would means there is a malware hit.
The next screen allows you to specify the content of the alert. In other words, when an alert occurs, this page lets you specify what you actually want to know about the activity.
I will go through changing the fields so that the Alert email will provide the following information.
- The Users name being used
- The Malware Threat name
- The site domain
- The client’s machine IP
- The Application
- The specific URL
- Date and Time
In the Alert Header section set the “Show” field from Application to User.
In the Alert Evidence table change the fields to the following. Keeping in mind you will have to add additional fields using the green + button:
- Threat Name
- Site Domain
- Source IP
Note: By default the date and time are included but they do not show up in the email alert. So if this is not required then it can be left out.
On the next screen, enable the Alert and specify an email address
Interpreting the Alerts
When Malware events are triggered you should now receive an email alert that looks as follows. This should provide you with enough information to make a call on whether or not further action is required. As with most event driven actions one first needs to establish a baseline and understand what is normal.
Checking the TMG Reporter site on the Alerts tab there will be a corresponding alert. Alerts are appended, so attempts over time can also be seen and tracked.
A relatively low amount of these alerts are “normal.” A spike in alerts could indicate that something is going wrong. With the alerts specified as mentioned above you have a good place to start looking.
If a site is repeatedly coming up as infected then you can always use a URL category override to move it to the Malicious category.