Rampant Paranoia 101

The Security FAQ in progress
1st eliminate spyware hijackware as the possible cause
unless you have reason to beleive its more serious


The Antivirus Defense-in-Depth Guide


Review Schadenfroh's excellent Spyware Removal Guide
and Junkware 101 @ overclockinghq

My old outline follows
Frist run Adaware (freeware edition), Spybot (freeware)
and CWShredder (freeware) CWTrojan removal tool a which is common hijack mechanism
then run HijackThis (freeware)
Iamnotageek now has an automated Hijack This analyzer
you can also post your log at Spywareinfo forums read the FAQ 1st
HijackThis reports classes of aps, processes and registry keys where hijackware gets entered
legitimate aps and malware are both reported, so you need to know the difference
after they help you get cleaned up
make a note of which aps have vaild entries (make a copy of the legitimate log file)
and run hijackthis after you install legitimate software so you can note new entries
(replace the copy of the legitimate logfile)
its then real easy to spot new invalid entries

a more serious infection requires more serious tools,

Do an online scan at TrendMico or Symantec (or both)
the first thing most malware will do once its past whatever defense you have is circumvent the firewall and antivirus scanners\monitors,
it can do this because its hard coded to look for a program in its default location, or it can attack the process directly (see following post)
since your scanning remotely your thus circumventing the cirumventing
however Id still follow the following proceedure

Installation Note
install all the security aps to nondefault directories
as in if it wants to install to C:/TDS-3,
say no and install it to a folder you make like
C:/pH33rNo3ViL/Trojan3

Then install the trial of Process Guard
it will detect any process the 1st time it runs and you have to approve it
you might be able to catch the malware right there trying to circumvent a security ap install, its recently changed how it installs by default, so now you need to switch off learning mode and remove evrything its "learned", then it will give you a each process as it tries to run

Download and trial
NOD32 (or another AV Scanner) 2nd Choice Kaspersky
TDS-3 (or another Trojan Scanner) 2nd Choics TrojanHunter
Port Explorer (or another Firewall monitor, not the one you currently have)
A Firewall, a different one than you currently have as its likely compromised

Scanning and Configuration

NOD32
Installation Guide (PDF)
to configure AMON click the white floppy disk icon with the red cross on it that is in your taskbar then > setup > accept the defaults
for NOD32 > Start > Programs > Eset > NOD32 > Setup Tab > Accept the Defaults
Download the latest Definitions and do a full scan


also grab a registry monitor and a filechecker that monitors your security exe for changes
------------------------------------------------------------------------------------------------------------------------------

a personal security software list

Scanners
NOD32
TDS-3 (with exe protection)

Execution Protection\Patches
WormGuard (with exe protection)
WSH Anti-Polymorphism Patch (freeware)
AnalogX Script Defender (freeware)
Symantec's noscript.exe (toggle on and off WSH) thanx OldMX
Spyware Blaster

Monitors\firewalls
PortExplorer
Process Guard
Kerio Personal Firewall2 (was freeware) supplements hardware NAT
Taskinfo 2003
RegistryProt (freeware)
Filehecker (freeware) a monitor for critical system files

Filters
Pest Patrol
Proxomitron (freeware)
CookieWall (freeware)
SpywareGuard (freeware)
BHODemon (freeware)

Spyware Removal
AdAware (freeware)
SpyBot Search and Destroy (freeware)
HijackThis (freeware)
CWShredder (freeware) CWTrojan removal tool
MRU Blaster not spyware per se this however cleans Most Recently Used Lists, info Spyware can tap into

Checksums
Haxial Hash (freeware)
fsum (freeware)

______________________________________________________






then get serious about your config and security audits
investigate setting up a dedicated Intrusion Detection box

rampant paranoia 101


my checklist


---------------------------------------------------------------
install Service Pack and hotfixes

Quote:

generally I download & burn service packs from the enterprise download and any odd hotfixes with a secured computer, but if you can't:
How to Download Service Packs w\ Knoppix

close the vulnerable NetBIOS ports and cleanup bindings
Cofigure IPSec
Retrict access to LSA info

disable unecessary services

disable Guest account
setup my user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts

remove the "Everyone" group and replace with "Authenticated Users" shares
disable default hidden shares, administrative shares, IPC$

disable HTML in e-mail
disable ActiveX
disabling or limiting WHS\VB\Java\Java Scripts (install, Script Defender, noscript.exe)
rename shscrap.dll to shscrapold;
Unhide File extensions, protected files, all files and folders

Enable Encrypted File System
Encrypt the Temp Directory
setup to clear the paging file at shutdown
lockdown the registry

disable dumpfile creation
remove insecure subsystems (OS/2 and POSIX)

protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor
these all make it much harder for someone that has already compromised your computer
if there is a brain behind the attack (a hack or trojan) then they would need to reenable these if they can, which might tip their hand, the same goes for an automated attack like a worm, if it could manage it at all, and many more minor peices of malware\spyware, rely on some of these for infection or more accurately reinfection like runonce.exe, regedit, ect or as the vector for infection in more serious malware like ftp or telnet

Install and schedual trojan scanner, anti virus and intrusion detection
Install and configure ProcessGuard <<<<<<!!!!!

Install Firefox with the noscript extention, secure Internet Explorer and Lockout access to it with NTFS Permissions to all accounts other than the Administrative Account

configure security policy control
enable auditing (logon, object, privilege, account management, policy, system)
set permissions on the security event log
set account lockout policy
assign user rights
set security options
configure firewall
baseline Rootreveler

>>>>>>>>> connect to the internet


Test
Run Baseline Security Analyzer (freeware)
Run NessusWX (freeware)
Do multiple remote Port Scans

Software Install
install other software and baseline HijackThis & RootRevealer after each
Disable Restore Points (if XP) and Ghost the install

Its extremely rare any one box would get all of those
but I consider all of them
--------------------------------------------------------------------------------------------------------------------------------

then Ideally hook it up behind a hardware firewall and montior traffic into and out if the box with an IDS tap like SNORT

--------------------------------------------------------------------------------------------------------------------------------

My Security Linkfarm at Radified
In bad need of an update
______________________________________________________

A conversation with Lance Spitzner, Sun Microsystems senior security architect
and a founder of the Honeynet Project
a Honeynet (or pot) is a system that is bait for intrusion so it can be detected, monitored, mined for data and techniques
and eventually deflected, causing no harm from it, not an easy thing to do, considering the intruder has "root"

Excerpted Transcript
Used with permission from both Lance Spitzner and Dana Greenlee Producer and co-host of the WebTalkGuys
but she is a Lady, and very nice one for letting me do this
and of course Lance for taking time out to give me permission and answer a few questions.

We join the discussion of Honeynets in the middle here

Quote:

WebTalkGuys: Well Lance lets talk about bait, I mean why would...
does a hacker come to one of these sites just because...
or one of these computers, just because he can or
is there something on there that he'd want,
Do you care about that?

Lance: Thats actually one of the most amazing things,
if you just put a computer out there that has no percieved value
it will probably get scanned 10 to 20 time a day
this is any system Im not talking about corporations, small businesses
If any of your listeners have a connection at home
a home connection dsl cable isdn
and they have a dedicated connection
they are most likely getting scanned ten to twenty times a day, also
just as our systems are
the bad guys are being very active,
because it very simple to hack
you just download a tool and run the tool

WebTalkGuys: Why are they doing this though? dont these people have jobs?
Dont they have lives themselves or do they just sit around?

Lance: Well its very interesting and its one of the things weve learned
beacuse of these honeynets we see what these guys do afterwords, so we can monitor the motives
there is a misconception that people think that alot of these attackers are
misguided youths out exploring the internet
the reality is that the vast majority of these individuals
are criminal intent, in other words to make money
we see alot of time peolple hacking systems and
scanning for stolen credit cards
or thier launching attacks against other organizations
and potentially getting paid for it
or they are dealing in stolen music,
videos, licensed software such things called warez
people scanning or scouring the internet for email addresses
to build databases of stolen email addresses to sell to spammers
stolen paypal accounts
stolen ebay accounts
there is just a tremendous amount of criminal activity going on

WebTalk Guys: Ok so its really a malicious type of environment

Lance: Extremely hostile

----------discontiuity-----------------

a large percentage of the bad guys really dont care what systems they break into
they simply download an automated tool that
will literally scan 16 million computers in a night
and any one of those 16 million computers is vulnerable
the program will break into them

----------discontiuity-----------------

WebTalk: What are some of the most hacked operating systems out there?
Everybody has heard about Windows, but is Windows really the most hacked operating system on the internet?

Lance: No everybody is a potential victim, Windows tends to be very popular just because if the bad guys are going to develop an exploit he gets the biggest bang for the buck, for Windows.

we also tend to see alot of focus on Linux just because Linux is a free operating system
so more economically depressed countries its easier for the bad guys to get access to this OS, understand this OS and attack the OS
For example countries like Romania, Eastern Europe very economically depressed,
so we tend to see
alot of hacking activity coming out of those countries

WebTalk Guys: OK cause certainly as far as the numbers of computers that are connected to the Internet most of them are Unix and Linux arent they as far as the overall number?

No I would actually disagree I would say the growing majority is more in the
Windows side as more and more home users are connecting via broadband

WebTalk Guys: Well thats true and thats a fairly recent phenomenon

Lance: Exactly
and the very scary thing is thats why its becoming easier for hackers because people have this misconception that bad guys only target buisnesses or companies, but they dont realize
anybody, any system with an IP stack is a target
so you have these millions of home users coming online
that have no conception of security, who dont beleive theyre a target,
this becomes a very target rich environment for the bad guys.


----------discontiuity-----------------

More >

Known Direct Process Attacks @ DiamondCS

This section documents the main types of attacks that processes can launch against other processes on a local system (such as a trojan attacking a security program, a rootkit injecting into a system process, or a firewall "leak test" attempting to hitch on a web-browser).

These process vs. process attack techniques can typically be categorised into three distinct, but related groups:

Termination - the attacking process attempts to kill the target process. This is the most common attack.

Suspension - the attacking process attempts to suspend the target process (usually by suspending all threads belonging to the target process), leaving it resident but in an inactive, frozen state.

Modification - the attacking process attempts to modify or inject code in the target process, usually with the intent of changing the behaviour of the target process, or hiding its own code in the context of the target process. The target process remains resident and active, but in a modified state.

However, there are other types of attacks, including:

Hooks - the attacking process attempts to load a DLL into all processes on the system that use user32.dll, allowing it to then perform functions on behalf of other processes. This can make termination attacks easy, as well as firewall leak-tests, as well as password-stealers, as well as keystroke-loggers, and more.

Thread Activation - the attacking process attempts to start a thread in another process, usually with the start address being a function like ExitProcess, or in the case of the Windows File Protection attack, a function that unloads Windows File Protection.

Leaktests - the attacking process attempts to transmit data to the Internet, usually using advanced techniques such as hooking and thread activation in order to bypass firewalls. Although not originally designed as an anti-leaktest program, Process Guard has been demonstrated to have remarkable results against such programs.

Drivers - kernel-mode drivers (.sys files) have the power to perform some very low-level functions, and in the case of rootkits they can actually modify the behaviour of critical operating system functions.

All of the attacks represent a very serious and very real threat to local system security, particularly because the majority of people execute programs on their system without actually knowing what the code in the program does

Attacks in Detail

Code Modification

Process Termination

Miscellaneous Attacks

Rootkits

Global Hooks

Leaktests

Password Stealers

Keystroke Loggers

Disabling Windows File Protection

Poject Honeynet Security Papers
The Know your Enemy Series
Highly recommened

Know your enemy 1
How Probes, Idenetification and Exploits are employed
to compromise a system

Know your Enemy 2
How to detect attempted intrusions, identify the tools being employed
and vulnerabilities that are the target

Know your Enemy 3
What happens during a compromise "They Gain Root"
How tracks are covered, and how systems may be altered

Know Your Enemy: A Forensic Analysis
How to assess a successful attack and the lesssons to be learned from it.

Know Your Enemy: Motives
The Motives and Psychology of the Black-hat Community

Know Your Enemy: Worms of War
Worms as automated probes that ID and exploit exponentially

Know Your Eenemy: Passive Fingerprinting
How to learn more about the enemy, without them knowing it.


Operating System Security Guides
NSA Security Guides


Fauna
Virus Overview
Trojans
Worms
Why ActiveX is insecure
Hostile Java Applets
VBS, WSH and wscripts \More
Macro Viruses
Boot Sector Viruses
Multipartie Viruses
just a few forms of malware, more can be found in the Lists below


Malware Lists
Virus Bulletin
Viruslist.com Encyclopedia
VirusLibrary
Symantec Virus Database and threatl ist
McAfee Virus Information Library
Kaspersky Virus Encyclopedia
Sophos Virus Database with a content by type as well as alphabetical
Wildlist.org

Hoaxes and Scams
Hoaxbusters
Crimes of Persuasion
McAfee Hoaxes
Hoax News
Symantec Hoaxes
Urban Legends Search Page
Vmyths


Forensics
Forensics for Beginners
Firewall Forensics must read
Common Firewall False Positives


Port Reference
iana.org
Network ICE Port Knowledgebase
Common Trojan Port List


Scanners (Online Tests)
Anti-Trojan Online Port Scan
Blackcode Online Port Scan
HackerWatch.org Port Scan
PCFlank Port Scan and Privacy Check
mycgiserver Port Scan
DSL Reports Port Scan
Securitymetrics Port Scan
GRC Port Scan take anything Gibson says with a grain of salt
Sygate Port Scan
HackerWhacker Security Scan plus news ect
Symantec Security Check
Guardwall Popup Test
Qualys Browser Staelth Test (you pass this with a local host proxylike Naviscope)
TrendMicro Online Virus Scan

Security Scanners
Nessus
Microsoft Baseline Security Analyzer V1.1
Microsoft Personal Security Advisor


Tutorials\Info
my NetWatchman
ComputerCops
advICE database
SANS Knowledge Base
SpywareInfo.com
Insecure.org
Nastylop
SearchSecurity
SecurityFocus
Cheapbox Linux Firewall
Tutorial Linkfarm
Disabling VBS scripts from automatically running


Forums
Wilders Security Forum one of the best
SANS security forums This is the big leagues (SysAdmins, enterprise level)
Computer Cops Forums
DSL Reports Security Forum

Beyond that there is Network topology, Multiple Operating Systems and Guardians, Packet Sniffers, inspectors and Intrusion detection
Snort
Hogwash
OpenBSD\Security
Bastille Linux Linux Hardening scripts

Virus Wars
a sort of pedestrian crystal ball artical at PC Magazine

but with a few highlights here and there

Quote:

The virus writers are constantly trying to one-up each other by evolving their code with each new variant, but they're also trying to one-up the antivirus industry. Take Sundermeier's example of a recent back-and-forth: In the past, you might have found viruses on attachments boasting of nude celebrities, so businesses filtered executable extensions at the gateway. The virus authors then started zipping up their attachments.

In response, security firms had their scanning engines scan archives to block the ZIP files. Only days later, the authors fired back with password-protected ZIP files, which could bypass antivirus screening, as the software couldn't decrypt and take a guess at a password. As a result, Central Command learned to parse an e-mail message for the password and store it in memory so they could decrypt and virus-scan it. A week went by, says Sundermeier, and the authors "stopped including the password as a text file. It was a bitmap file, which completely screwed up our game plan."

Quote:

Writers speak of multiplatform viruses and viruses that will infect icons, cursors, or media files or damage CD-ROM and DVD-ROM drives. Advances in computing technology will inevitably extend the terrain for viruses; soon viruses could target instant messaging, peer-to-peer networks, voice-mail systems, handheld devices, Microsoft Xboxes and other consoles, and mobile phones (which will lead to cell-phone antivirus software).

BlueOwl believes the cyberbattles among authors will eventually breed worms that fight by trying to remove each other. What's more, he says, "virus authors have been inspired by real biological bacteria and evolution. So there have been thoughts about viruses which use genes when making new variants of themselves, and even female and male viruses that will be able to mate and have offspring resembling themselves." BlueOwl has seen only test runs so far, but he says, "If a mass mailer used it, it could really spread BIG."

Quote:

If virus writers are trending toward malice and developing new strategies to elude antivirus companies, why haven't we seen the Big One—a rapidly spreading virus that attempts to destroy data? roy g biv, a 25-year-old Austrian writer for the group 29A, says it's not that easy: A virus has to "get lucky" to spread far, or it needs a widespread hole to exploit so it can spread quickly. If it spreads quickly, however, it will be detected quickly. What's more, if the payload runs too soon, the virus will destroy itself, and if it runs too late, the antivirus companies will stop it.

Quote:

Scanning engines have also become more sophisticated. Five years ago, the scanning process was simple pattern matching. As Panda's Hinojosa puts it, "Advances in virus writing and polymorphic viruses have made pattern matching increasingly obsolete....Because these things spread so fast, there isn't necessarily time to get our signature file to the users. So heuristics started getting beefed up."

With more intelligent heuristics, scanners could interpret macro instructions and find them in specific parts of a file. They would look for files that were doing something suspicious and work on a point system. For example, if a file were searching for e-mail addresses, that would be one point. If it were trying to start up an SMTP engine, that would be another.

Quote:

So the challenge now becomes: How do you generically stop something through behavior-based phenomena? Because with something that gets spammed out to 10 million people, you don't necessarily have time to get it analyzed, a signature file deployed, and the users updated in 5 minutes worldwide. This moves us into having to detect malware at the network level before we know what it is. That is the wave of the future.

unregistering dlls from the command prompt
http://www.mac-net.com/295484.page
http://support.microsoft.com/kb/q249873/

Gaining access to System Volume Information and using CACLS
http://support.microsoft.com/kb/309531
http://www.ss64.com/nt/cacls.html

a rootkit will hide a virus or spyware from any scan

Quote:

Originally Posted by Chuck

[H]ardNews 2nd Edition Saturday April 16th

Rooting around Windows:
Rootkits in a Windows environment stealth more vicious code, like worms, viruses or spyware and are becoming pretty common in the later. If your scanner can't see it, it can't remove it. In all the excitement of patch day, many may have missed that Microsoft's Malicious Software Removal Tool has a new update for rootkits.

"It is the first time Redmond has added rootkit detection capabilities to the free Malicious Software Removal Tool, a move that underscores the increased prevalence of stealth rootkits on Windows machines.
In all, Toulouse said four child variants of the stealth rootkit will be detected. Hacker Defender (Win32/Hackdef) is a family of backdoor Trojans capable of creating, changing and hiding Windows system resources on a computer that it has infected."


Rooting the Finnish Way
F-Secure has a new beta rookit detection tool that is free to use until May 1st, F-Secure BlackLight Beta.
As well a specific malware freeware removal tools, including the popular F-Secure Anti-Virus for DOS.

"The rootkit itself does'nt typically cause deliberate damage. Its purpose is to hide software. But rootkits are used to hide malicious code. A virus, worm, backdoor or spyware program could remain active and undetected in a system for a long time if it uses a rootkit. The malware may remain undetected even if the computer is protected with state-of-the-art antivirus. And the antivirus can't remove something that it can't see. The threat from modern malware combined with rootkits is very similar to full stealth viruses that caused a lot of headache during the MS-DOS era. All this makes rootkits a significant threat."


Pro Rooting
Sysinternals RootRevealer is another freeware rootkit tool thats has a bit more advanced interface and compares the highest level of the Windows API and the lowest level of the raw contents of a file system volume or Registry hive and looks for discrepancies.

"Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format). Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing will be seen."

if something is constantly reappearing, a good bet is you have a rootkit somewhere
warez & crackers are a favored means to get a rootkit on a box
questionable freeware or compromised freeware too, your placing trust everytime you hit an .exe