Why it’s a good idea to keep on top of Windows Updates

November 5, 2012 Technical, General

Our IDS has proven itself to be extremely valuable several times so far, we thought we’d share something interesting that it picked up.

What’s an IDS?

In case you’ve not come across the term “IDS” before, and seeing as we haven’t mentioned it previously, we’ll go over that first.

An Intrusion Detection System, or IDS for short, is a system that sits on a network and compares packets to a set of rules. These rules contain signatures, which are patterns that are defined to detect malicious and potentially dangerous network activity.

When our IDS detects something, it will write a line to a log file that we monitor. It does NOT capture and keep data.

We wont go into further detail about our IDS at this stage; maybe later 😉

Why you should update

But enough about the IDS, and onto what it found.

We detect millions of potentially malicious packets on a daily basis. These are your common RDP, SSH, FTP, etc. brute force attacks that numbly go through different combinations of usernames and passwords. Once in a while an alert will pop up that catches my attention.

This one was something that very much tickled my fancy (some details are redacted for anonymity):

10/xx/2012-xx:xx:xx.xxxx  [**] [1:2014383:2] ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:63339 -> xxx.xxx.xxx.xxx:3389

This particular signature relates to the vulnerability discovered earlier this year in the Remote Desktop Protocol. It was identified as CVE-2012-0002 and MS12-020.

The flaw itself was caused by the way Windows handled a certain part of an RDP packet in memory. This could result in one of two things, depending on which version of Windows you’re running:

  • A blue screen of death
  • Remote code execution

This particular exploit was patched by Microsoft with an out of band update. If you’re a Windows customer with us you would have received notification that we were scheduling some emergency downtime to get it patched immediately.

While the exploit is several months old, many users and admins don’t keep their systems patched, leaving themselves vulnerable. That’s why you still see it roaming in the wild instead of dying out quickly (as it should).

Of course this machine had been patched straight away so the exploit attempt was ineffective. Our IDS was watching and caught it in the act, and we banhammered the offending IP with great prejudice.

Some fun extra reading

If you’re interested in some more of the details, these pages provide good coverage.