I
Ice Czar
Guest
The Security FAQ in progress
1st eliminate spyware hijackware as the possible cause
unless you have reason to beleive its more serious
The Antivirus Defense-in-Depth Guide
Review Schadenfroh's excellent Spyware Removal Guide
and Junkware 101 @ overclockinghq
My old outline follows
Frist run Adaware (freeware edition), Spybot (freeware)
and CWShredder (freeware) CWTrojan removal tool a which is common hijack mechanism
then run HijackThis (freeware)
Iamnotageek now has an automated Hijack This analyzer
you can also post your log at Spywareinfo forums read the FAQ 1st
HijackThis reports classes of aps, processes and registry keys where hijackware gets entered
legitimate aps and malware are both reported, so you need to know the difference
after they help you get cleaned up
make a note of which aps have vaild entries (make a copy of the legitimate log file)
and run hijackthis after you install legitimate software so you can note new entries
(replace the copy of the legitimate logfile)
its then real easy to spot new invalid entries
a more serious infection requires more serious tools,
Do an online scan at TrendMico or Symantec (or both)
the first thing most malware will do once its past whatever defense you have is circumvent the firewall and antivirus scanners\monitors,
it can do this because its hard coded to look for a program in its default location, or it can attack the process directly (see following post)
since your scanning remotely your thus circumventing the cirumventing
however Id still follow the following proceedure
Installation Note
install all the security aps to nondefault directories
as in if it wants to install to C:/TDS-3,
say no and install it to a folder you make like
C:/pH33rNo3ViL/Trojan3
Then install the trial of Process Guard
it will detect any process the 1st time it runs and you have to approve it
you might be able to catch the malware right there trying to circumvent a security ap install, its recently changed how it installs by default, so now you need to switch off learning mode and remove evrything its "learned", then it will give you a each process as it tries to run
Download and trial
NOD32 (or another AV Scanner) 2nd Choice Kaspersky
TDS-3 (or another Trojan Scanner) 2nd Choics TrojanHunter
Port Explorer (or another Firewall monitor, not the one you currently have)
A Firewall, a different one than you currently have as its likely compromised
Scanning and Configuration
NOD32
Installation Guide (PDF)
to configure AMON click the white floppy disk icon with the red cross on it that is in your taskbar then > setup > accept the defaults
for NOD32 > Start > Programs > Eset > NOD32 > Setup Tab > Accept the Defaults
Download the latest Definitions and do a full scan
also grab a registry monitor and a filechecker that monitors your security exe for changes
------------------------------------------------------------------------------------------------------------------------------
a personal security software list
Scanners
NOD32
TDS-3 (with exe protection)
Execution Protection\Patches
WormGuard (with exe protection)
WSH Anti-Polymorphism Patch (freeware)
AnalogX Script Defender (freeware)
Symantec's noscript.exe (toggle on and off WSH) thanx OldMX
Spyware Blaster
Monitors\firewalls
PortExplorer
Process Guard
Kerio Personal Firewall2 (was freeware) supplements hardware NAT
Taskinfo 2003
RegistryProt (freeware)
Filehecker (freeware) a monitor for critical system files
Filters
Pest Patrol
Proxomitron (freeware)
CookieWall (freeware)
SpywareGuard (freeware)
BHODemon (freeware)
Spyware Removal
AdAware (freeware)
SpyBot Search and Destroy (freeware)
HijackThis (freeware)
CWShredder (freeware) CWTrojan removal tool
MRU Blaster not spyware per se this however cleans Most Recently Used Lists, info Spyware can tap into
Checksums
Haxial Hash (freeware)
fsum (freeware)
______________________________________________________
then get serious about your config and security audits
investigate setting up a dedicated Intrusion Detection box
rampant paranoia 101
my checklist
---------------------------------------------------------------
install Service Pack and hotfixes
Cofigure IPSec
Retrict access to LSA info
disable unecessary services
disable Guest account
setup my user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts
remove the "Everyone" group and replace with "Authenticated Users" shares
disable default hidden shares, administrative shares, IPC$
disable HTML in e-mail
disable ActiveX
disabling or limiting WHS\VB\Java\Java Scripts (install, Script Defender, noscript.exe)
rename shscrap.dll to shscrapold;
Unhide File extensions, protected files, all files and folders
Enable Encrypted File System
Encrypt the Temp Directory
setup to clear the paging file at shutdown
lockdown the registry
disable dumpfile creation
remove insecure subsystems (OS/2 and POSIX)
protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor
these all make it much harder for someone that has already compromised your computer
if there is a brain behind the attack (a hack or trojan) then they would need to reenable these if they can, which might tip their hand, the same goes for an automated attack like a worm, if it could manage it at all, and many more minor peices of malware\spyware, rely on some of these for infection or more accurately reinfection like runonce.exe, regedit, ect or as the vector for infection in more serious malware like ftp or telnet
Install and schedual trojan scanner, anti virus and intrusion detection
Install and configure ProcessGuard <<<<<<!!!!!
Install Firefox with the noscript extention, secure Internet Explorer and Lockout access to it with NTFS Permissions to all accounts other than the Administrative Account
configure security policy control
enable auditing (logon, object, privilege, account management, policy, system)
set permissions on the security event log
set account lockout policy
assign user rights
set security options
configure firewall
baseline Rootreveler
>>>>>>>>> connect to the internet
Test
Run Baseline Security Analyzer (freeware)
Run NessusWX (freeware)
Do multiple remote Port Scans
Software Install
install other software and baseline HijackThis & RootRevealer after each
Disable Restore Points (if XP) and Ghost the install
Its extremely rare any one box would get all of those
but I consider all of them
--------------------------------------------------------------------------------------------------------------------------------
then Ideally hook it up behind a hardware firewall and montior traffic into and out if the box with an IDS tap like SNORT
--------------------------------------------------------------------------------------------------------------------------------
My Security Linkfarm at Radified
In bad need of an update
______________________________________________________
A conversation with Lance Spitzner, Sun Microsystems senior security architect
and a founder of the Honeynet Project
a Honeynet (or pot) is a system that is bait for intrusion so it can be detected, monitored, mined for data and techniques
and eventually deflected, causing no harm from it, not an easy thing to do, considering the intruder has "root"
Excerpted Transcript
Used with permission from both Lance Spitzner and Dana Greenlee Producer and co-host of the WebTalkGuys
but she is a Lady, and very nice one for letting me do this
and of course Lance for taking time out to give me permission and answer a few questions.
We join the discussion of Honeynets in the middle here
1st eliminate spyware hijackware as the possible cause
unless you have reason to beleive its more serious
The Antivirus Defense-in-Depth Guide
Review Schadenfroh's excellent Spyware Removal Guide
and Junkware 101 @ overclockinghq
My old outline follows
Frist run Adaware (freeware edition), Spybot (freeware)
and CWShredder (freeware) CWTrojan removal tool a which is common hijack mechanism
then run HijackThis (freeware)
Iamnotageek now has an automated Hijack This analyzer
you can also post your log at Spywareinfo forums read the FAQ 1st
HijackThis reports classes of aps, processes and registry keys where hijackware gets entered
legitimate aps and malware are both reported, so you need to know the difference
after they help you get cleaned up
make a note of which aps have vaild entries (make a copy of the legitimate log file)
and run hijackthis after you install legitimate software so you can note new entries
(replace the copy of the legitimate logfile)
its then real easy to spot new invalid entries
a more serious infection requires more serious tools,
Do an online scan at TrendMico or Symantec (or both)
the first thing most malware will do once its past whatever defense you have is circumvent the firewall and antivirus scanners\monitors,
it can do this because its hard coded to look for a program in its default location, or it can attack the process directly (see following post)
since your scanning remotely your thus circumventing the cirumventing
however Id still follow the following proceedure
Installation Note
install all the security aps to nondefault directories
as in if it wants to install to C:/TDS-3,
say no and install it to a folder you make like
C:/pH33rNo3ViL/Trojan3
Then install the trial of Process Guard
it will detect any process the 1st time it runs and you have to approve it
you might be able to catch the malware right there trying to circumvent a security ap install, its recently changed how it installs by default, so now you need to switch off learning mode and remove evrything its "learned", then it will give you a each process as it tries to run
Download and trial
NOD32 (or another AV Scanner) 2nd Choice Kaspersky
TDS-3 (or another Trojan Scanner) 2nd Choics TrojanHunter
Port Explorer (or another Firewall monitor, not the one you currently have)
A Firewall, a different one than you currently have as its likely compromised
Scanning and Configuration
NOD32
Installation Guide (PDF)
to configure AMON click the white floppy disk icon with the red cross on it that is in your taskbar then > setup > accept the defaults
for NOD32 > Start > Programs > Eset > NOD32 > Setup Tab > Accept the Defaults
Download the latest Definitions and do a full scan
also grab a registry monitor and a filechecker that monitors your security exe for changes
------------------------------------------------------------------------------------------------------------------------------
a personal security software list
Scanners
NOD32
TDS-3 (with exe protection)
Execution Protection\Patches
WormGuard (with exe protection)
WSH Anti-Polymorphism Patch (freeware)
AnalogX Script Defender (freeware)
Symantec's noscript.exe (toggle on and off WSH) thanx OldMX
Spyware Blaster
Monitors\firewalls
PortExplorer
Process Guard
Kerio Personal Firewall2 (was freeware) supplements hardware NAT
Taskinfo 2003
RegistryProt (freeware)
Filehecker (freeware) a monitor for critical system files
Filters
Pest Patrol
Proxomitron (freeware)
CookieWall (freeware)
SpywareGuard (freeware)
BHODemon (freeware)
Spyware Removal
AdAware (freeware)
SpyBot Search and Destroy (freeware)
HijackThis (freeware)
CWShredder (freeware) CWTrojan removal tool
MRU Blaster not spyware per se this however cleans Most Recently Used Lists, info Spyware can tap into
Checksums
Haxial Hash (freeware)
fsum (freeware)
______________________________________________________
then get serious about your config and security audits
investigate setting up a dedicated Intrusion Detection box
rampant paranoia 101
my checklist
---------------------------------------------------------------
install Service Pack and hotfixes
close the vulnerable NetBIOS ports and cleanup bindingsgenerally I download & burn service packs from the enterprise download and any odd hotfixes with a secured computer, but if you can't:
How to Download Service Packs w\ Knoppix
Cofigure IPSec
Retrict access to LSA info
disable unecessary services
disable Guest account
setup my user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts
remove the "Everyone" group and replace with "Authenticated Users" shares
disable default hidden shares, administrative shares, IPC$
disable HTML in e-mail
disable ActiveX
disabling or limiting WHS\VB\Java\Java Scripts (install, Script Defender, noscript.exe)
rename shscrap.dll to shscrapold;
Unhide File extensions, protected files, all files and folders
Enable Encrypted File System
Encrypt the Temp Directory
setup to clear the paging file at shutdown
lockdown the registry
disable dumpfile creation
remove insecure subsystems (OS/2 and POSIX)
protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor
these all make it much harder for someone that has already compromised your computer
if there is a brain behind the attack (a hack or trojan) then they would need to reenable these if they can, which might tip their hand, the same goes for an automated attack like a worm, if it could manage it at all, and many more minor peices of malware\spyware, rely on some of these for infection or more accurately reinfection like runonce.exe, regedit, ect or as the vector for infection in more serious malware like ftp or telnet
Install and schedual trojan scanner, anti virus and intrusion detection
Install and configure ProcessGuard <<<<<<!!!!!
Install Firefox with the noscript extention, secure Internet Explorer and Lockout access to it with NTFS Permissions to all accounts other than the Administrative Account
configure security policy control
enable auditing (logon, object, privilege, account management, policy, system)
set permissions on the security event log
set account lockout policy
assign user rights
set security options
configure firewall
baseline Rootreveler
>>>>>>>>> connect to the internet
Test
Run Baseline Security Analyzer (freeware)
Run NessusWX (freeware)
Do multiple remote Port Scans
Software Install
install other software and baseline HijackThis & RootRevealer after each
Disable Restore Points (if XP) and Ghost the install
Its extremely rare any one box would get all of those
but I consider all of them
--------------------------------------------------------------------------------------------------------------------------------
then Ideally hook it up behind a hardware firewall and montior traffic into and out if the box with an IDS tap like SNORT
--------------------------------------------------------------------------------------------------------------------------------
My Security Linkfarm at Radified
In bad need of an update
______________________________________________________
A conversation with Lance Spitzner, Sun Microsystems senior security architect
and a founder of the Honeynet Project
a Honeynet (or pot) is a system that is bait for intrusion so it can be detected, monitored, mined for data and techniques
and eventually deflected, causing no harm from it, not an easy thing to do, considering the intruder has "root"
Excerpted Transcript
Used with permission from both Lance Spitzner and Dana Greenlee Producer and co-host of the WebTalkGuys
but she is a Lady, and very nice one for letting me do this
and of course Lance for taking time out to give me permission and answer a few questions.
We join the discussion of Honeynets in the middle here
WebTalkGuys: Well Lance lets talk about bait, I mean why would...
does a hacker come to one of these sites just because...
or one of these computers, just because he can or
is there something on there that he'd want,
Do you care about that?
Lance: Thats actually one of the most amazing things,
if you just put a computer out there that has no percieved value
it will probably get scanned 10 to 20 time a day
this is any system Im not talking about corporations, small businesses
If any of your listeners have a connection at home
a home connection dsl cable isdn
and they have a dedicated connection
they are most likely getting scanned ten to twenty times a day, also
just as our systems are
the bad guys are being very active,
because it very simple to hack
you just download a tool and run the tool
WebTalkGuys: Why are they doing this though? dont these people have jobs?
Dont they have lives themselves or do they just sit around?
Lance: Well its very interesting and its one of the things weve learned
beacuse of these honeynets we see what these guys do afterwords, so we can monitor the motives
there is a misconception that people think that alot of these attackers are
misguided youths out exploring the internet
the reality is that the vast majority of these individuals
are criminal intent, in other words to make money
we see alot of time peolple hacking systems and
scanning for stolen credit cards
or thier launching attacks against other organizations
and potentially getting paid for it
or they are dealing in stolen music,
videos, licensed software such things called warez
people scanning or scouring the internet for email addresses
to build databases of stolen email addresses to sell to spammers
stolen paypal accounts
stolen ebay accounts
there is just a tremendous amount of criminal activity going on
WebTalk Guys: Ok so its really a malicious type of environment
Lance: Extremely hostile
----------discontiuity-----------------
a large percentage of the bad guys really dont care what systems they break into
they simply download an automated tool that
will literally scan 16 million computers in a night
and any one of those 16 million computers is vulnerable
the program will break into them
----------discontiuity-----------------
WebTalk: What are some of the most hacked operating systems out there?
Everybody has heard about Windows, but is Windows really the most hacked operating system on the internet?
Lance: No everybody is a potential victim, Windows tends to be very popular just because if the bad guys are going to develop an exploit he gets the biggest bang for the buck, for Windows.
we also tend to see alot of focus on Linux just because Linux is a free operating system
so more economically depressed countries its easier for the bad guys to get access to this OS, understand this OS and attack the OS
For example countries like Romania, Eastern Europe very economically depressed,
so we tend to see
alot of hacking activity coming out of those countries
WebTalk Guys: OK cause certainly as far as the numbers of computers that are connected to the Internet most of them are Unix and Linux arent they as far as the overall number?
No I would actually disagree I would say the growing majority is more in the
Windows side as more and more home users are connecting via broadband
WebTalk Guys: Well thats true and thats a fairly recent phenomenon
Lance: Exactly
and the very scary thing is thats why its becoming easier for hackers because people have this misconception that bad guys only target buisnesses or companies, but they dont realize
anybody, any system with an IP stack is a target
so you have these millions of home users coming online
that have no conception of security, who dont beleive theyre a target,
this becomes a very target rich environment for the bad guys.
----------discontiuity-----------------
More >