This article is about utilizing OfficeScan’s Global C&C Callback Feature for an additional layer of internal protection against the Shellshock Linux Bash Vulnerability [CVE-2014-6271 and CVE-2014-7169].
A serious vulnerability has been found in the Bash command shell, which is commonly used by most Linux distributions. Commonly referred to as “Shellshock,” this vulnerability (CVE-2014-6271 and CVE-2014-7169) allows an attacker to run commands on an affected system. In short, this allows for remote code execution on servers that run these affected Linux distributions.
Trend Micro has identified that one potential way of exploiting or attacking a vulnerable Unix/Linux/MAC system is from within the boundaries of a network, bypassing perimeter security. These attacks potentially could come from Windows-based machines.
To prevent against this type of attack, Trend Micro proactively recommends customers who have deployed OfficeScan versions 10.6 Service Pack 3 or 11.0 to enable a feature known as Global Command & Control (C&C) Callback to prevent potential attackers in using an OfficeScan protected endpoint from within the network to attack a Shellshock vulnerable Unix/Linux/MAC based machine.
The Global C&C IP list works in conjunction with Trend Micro’s Network Content Inspection Engine (NCIE) to detect network connections with Trend Micro confirmed C&C servers. Trend Micro has release a specific NCIE rule around Shellshock that will detect a C&C server contact through any network channel, and the Suspicious Connection Service logs all connection information to servers in the Global C&C IP list for evaluation.
By enabling this feature internally on supported OfficeScan clients, organizations can add extra layer of protection from within their environments against Shellshock-vulnerable systems.
For more background information on Shellshock, including some additional tools and information, please visit Trend Micro’s landing page at: http://www.trendmicro.com/us/security/shellshock-bash-bug-exploit/index.html
Customers can enable OfficeScan’s Global C&C Callback functionality by using the instructions below for their respective version.
OfficeScan 10.6 Service Pack 2 with Custom Defense Pack or Service Pack 3
- Open the OfficeScan server console.
- Navigate to Networked Computers > Global Client Settings.
- Go to the C&C Contact Alert Settings section.
- Enable the "Log network connections between agents and Trend Micro confirmed C&C IP addresses" option.
- Select "Log connections from all endpoints" or "Only endpoints running specific operating systems".
- Click Save.
You may also visit the Online Help file for OfficeScan 10.6 by visiting this link.
OfficeScan 11.0 & XG
- Open the OfficeScan server console.
- Navigate to Agents > Agent Management.
- Select the group/domain you wish to apply the settings to.
- Click on Settings > Suspicious Connection Settings.
Enable the following:
- Log network connections made to addresses in the Global C&C IP list
- Log and allow access to User-defined Blocked IP list addresses
- Log connections using malware network fingerprinting
- Clean suspicious connections when a C&C callback is detected
- Click Apply to All Agents and click Close.
- Click Settings > Additional Service Settings.
- Under Suspicious Connection Service, select "Enable service on the following operating systems".
- Click Apply to All Agents, then click Close.
You may also visit the Online Help file for OfficeScan 11.0/XG by visiting this link.
In addition, customers are encouraged to review their OfficeScan settings and compare them with our best practice guide for malware, which can be found here.
What if I have additional questions?
For additional inquiries, contact Trend Micro Technical Support.