Rampant Paranoia 101

Discussion in 'General Software' started by Ice Czar, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. Ice Czar

    Ice Czar Guest

    The Security FAQ in progress
    1st eliminate spyware hijackware as the possible cause
    unless you have reason to beleive its more serious

    The Antivirus Defense-in-Depth Guide

    Review Schadenfroh's excellent Spyware Removal Guide
    and Junkware 101 @ overclockinghq

    My old outline follows
    Frist run Adaware (freeware edition), Spybot (freeware)
    and CWShredder (freeware) CWTrojan removal tool a which is common hijack mechanism
    then run HijackThis (freeware)
    Iamnotageek now has an automated Hijack This analyzer
    you can also post your log at Spywareinfo forums read the FAQ 1st ;)
    HijackThis reports classes of aps, processes and registry keys where hijackware gets entered
    legitimate aps and malware are both reported, so you need to know the difference
    after they help you get cleaned up
    make a note of which aps have vaild entries (make a copy of the legitimate log file)
    and run hijackthis after you install legitimate software so you can note new entries
    (replace the copy of the legitimate logfile)
    its then real easy to spot new invalid entries ;)

    a more serious infection requires more serious tools,

    Do an online scan at TrendMico or Symantec (or both)
    the first thing most malware will do once its past whatever defense you have is circumvent the firewall and antivirus scanners\monitors,
    it can do this because its hard coded to look for a program in its default location, or it can attack the process directly (see following post)
    since your scanning remotely your thus circumventing the cirumventing
    however Id still follow the following proceedure

    Installation Note
    install all the security aps to nondefault directories
    as in if it wants to install to C:/TDS-3,
    say no and install it to a folder you make like

    Then install the trial of Process Guard
    it will detect any process the 1st time it runs and you have to approve it
    you might be able to catch the malware right there trying to circumvent a security ap install, its recently changed how it installs by default, so now you need to switch off learning mode and remove evrything its "learned", then it will give you a each process as it tries to run

    Download and trial
    NOD32 (or another AV Scanner) 2nd Choice Kaspersky
    TDS-3 (or another Trojan Scanner) 2nd Choics TrojanHunter
    Port Explorer (or another Firewall monitor, not the one you currently have)
    A Firewall, a different one than you currently have as its likely compromised

    Scanning and Configuration

    Installation Guide (PDF)
    to configure AMON click the white floppy disk icon with the red cross on it that is in your taskbar then > setup > accept the defaults
    for NOD32 > Start > Programs > Eset > NOD32 > Setup Tab > Accept the Defaults
    Download the latest Definitions and do a full scan

    also grab a registry monitor and a filechecker that monitors your security exe for changes

    a personal security software list

    TDS-3 (with exe protection)

    Execution Protection\Patches
    WormGuard (with exe protection)
    WSH Anti-Polymorphism Patch (freeware)
    AnalogX Script Defender (freeware)
    Symantec's noscript.exe (toggle on and off WSH) thanx OldMX :D
    Spyware Blaster

    Process Guard
    Kerio Personal Firewall2 (was freeware) supplements hardware NAT
    Taskinfo 2003
    RegistryProt (freeware)
    Filehecker (freeware) a monitor for critical system files

    Pest Patrol
    Proxomitron (freeware)
    CookieWall (freeware)
    SpywareGuard (freeware)
    BHODemon (freeware)

    Spyware Removal
    AdAware (freeware)
    SpyBot Search and Destroy (freeware)
    HijackThis (freeware)
    CWShredder (freeware) CWTrojan removal tool
    MRU Blaster not spyware per se this however cleans Most Recently Used Lists, info Spyware can tap into

    Haxial Hash (freeware)
    fsum (freeware)


    then get serious about your config and security audits
    investigate setting up a dedicated Intrusion Detection box

    rampant paranoia 101

    my checklist

    install Service Pack and hotfixes
    close the vulnerable NetBIOS ports and cleanup bindings
    Cofigure IPSec
    Retrict access to LSA info

    disable unecessary services

    disable Guest account
    setup my user account
    rename Administrator account
    create fake Administrator account (disabled)
    enable network lockout of the true Administrator account

    Limit the number of logon accounts

    remove the "Everyone" group and replace with "Authenticated Users" shares
    disable default hidden shares, administrative shares, IPC$

    disable HTML in e-mail
    disable ActiveX
    disabling or limiting WHS\VB\Java\Java Scripts (install, Script Defender, noscript.exe)
    rename shscrap.dll to shscrapold;
    Unhide File extensions, protected files, all files and folders

    Enable Encrypted File System
    Encrypt the Temp Directory
    setup to clear the paging file at shutdown
    lockdown the registry

    disable dumpfile creation
    remove insecure subsystems (OS/2 and POSIX)

    protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
    remove the .reg file association from the registry editor
    these all make it much harder for someone that has already compromised your computer
    if there is a brain behind the attack (a hack or trojan) then they would need to reenable these if they can, which might tip their hand, the same goes for an automated attack like a worm, if it could manage it at all, and many more minor peices of malware\spyware, rely on some of these for infection or more accurately reinfection like runonce.exe, regedit, ect or as the vector for infection in more serious malware like ftp or telnet

    Install and schedual trojan scanner, anti virus and intrusion detection
    Install and configure ProcessGuard <<<<<<!!!!!

    Install Firefox with the noscript extention, secure Internet Explorer and Lockout access to it with NTFS Permissions to all accounts other than the Administrative Account

    configure security policy control
    enable auditing (logon, object, privilege, account management, policy, system)
    set permissions on the security event log
    set account lockout policy
    assign user rights
    set security options
    configure firewall
    baseline Rootreveler

    >>>>>>>>> connect to the internet

    Run Baseline Security Analyzer (freeware)
    Run NessusWX (freeware)
    Do multiple remote Port Scans

    Software Install
    install other software and baseline HijackThis & RootRevealer after each
    Disable Restore Points (if XP) and Ghost the install

    Its extremely rare any one box would get all of those
    but I consider all of them


    then Ideally hook it up behind a hardware firewall and montior traffic into and out if the box with an IDS tap like SNORT


    My Security Linkfarm at Radified
    In bad need of an update

    A conversation with Lance Spitzner, Sun Microsystems senior security architect
    and a founder of the Honeynet Project
    a Honeynet (or pot) is a system that is bait for intrusion so it can be detected, monitored, mined for data and techniques
    and eventually deflected, causing no harm from it, not an easy thing to do, considering the intruder has "root"

    Excerpted Transcript
    Used with permission from both Lance Spitzner and Dana Greenlee Producer and co-host of the WebTalkGuys
    but she is a Lady, and very nice one for letting me do this ;)
    and of course Lance for taking time out to give me permission and answer a few questions.

    We join the discussion of Honeynets in the middle here

  2. Ice Czar

    Ice Czar Guest

    Known Direct Process Attacks @ DiamondCS

    This section documents the main types of attacks that processes can launch against other processes on a local system (such as a trojan attacking a security program, a rootkit injecting into a system process, or a firewall "leak test" attempting to hitch on a web-browser).

    These process vs. process attack techniques can typically be categorised into three distinct, but related groups:

    Termination - the attacking process attempts to kill the target process. This is the most common attack.

    Suspension - the attacking process attempts to suspend the target process (usually by suspending all threads belonging to the target process), leaving it resident but in an inactive, frozen state.

    Modification - the attacking process attempts to modify or inject code in the target process, usually with the intent of changing the behaviour of the target process, or hiding its own code in the context of the target process. The target process remains resident and active, but in a modified state.

    However, there are other types of attacks, including:

    Hooks - the attacking process attempts to load a DLL into all processes on the system that use user32.dll, allowing it to then perform functions on behalf of other processes. This can make termination attacks easy, as well as firewall leak-tests, as well as password-stealers, as well as keystroke-loggers, and more.

    Thread Activation - the attacking process attempts to start a thread in another process, usually with the start address being a function like ExitProcess, or in the case of the Windows File Protection attack, a function that unloads Windows File Protection.

    Leaktests - the attacking process attempts to transmit data to the Internet, usually using advanced techniques such as hooking and thread activation in order to bypass firewalls. Although not originally designed as an anti-leaktest program, Process Guard has been demonstrated to have remarkable results against such programs.

    Drivers - kernel-mode drivers (.sys files) have the power to perform some very low-level functions, and in the case of rootkits they can actually modify the behaviour of critical operating system functions.

    All of the attacks represent a very serious and very real threat to local system security, particularly because the majority of people execute programs on their system without actually knowing what the code in the program does

    Attacks in Detail

    Code Modification

    Process Termination

    Miscellaneous Attacks


    Global Hooks


    Password Stealers

    Keystroke Loggers

    Disabling Windows File Protection
  3. Ice Czar

    Ice Czar Guest

    Poject Honeynet Security Papers
    The Know your Enemy Series
    Highly recommened

    Know your enemy 1
    How Probes, Idenetification and Exploits are employed
    to compromise a system

    Know your Enemy 2
    How to detect attempted intrusions, identify the tools being employed
    and vulnerabilities that are the target

    Know your Enemy 3
    What happens during a compromise "They Gain Root"
    How tracks are covered, and how systems may be altered

    Know Your Enemy: A Forensic Analysis
    How to assess a successful attack and the lesssons to be learned from it.

    Know Your Enemy: Motives
    The Motives and Psychology of the Black-hat Community

    Know Your Enemy: Worms of War
    Worms as automated probes that ID and exploit exponentially

    Know Your Eenemy: Passive Fingerprinting
    How to learn more about the enemy, without them knowing it.

    Operating System Security Guides
    NSA Security Guides

    Virus Overview
    Why ActiveX is insecure
    Hostile Java Applets
    VBS, WSH and wscripts \More
    Macro Viruses
    Boot Sector Viruses
    Multipartie Viruses
    just a few forms of malware, more can be found in the Lists below

    Malware Lists
    Virus Bulletin
    Viruslist.com Encyclopedia
    Symantec Virus Database and threatl ist
    McAfee Virus Information Library
    Kaspersky Virus Encyclopedia
    Sophos Virus Database with a content by type as well as alphabetical

    Hoaxes and Scams
    Crimes of Persuasion
    McAfee Hoaxes
    Hoax News
    Symantec Hoaxes
    Urban Legends Search Page

    Forensics for Beginners
    Firewall Forensics must read ;)
    Common Firewall False Positives

    Port Reference
    Network ICE Port Knowledgebase
    Common Trojan Port List

    Scanners (Online Tests)
    Anti-Trojan Online Port Scan
    Blackcode Online Port Scan
    HackerWatch.org Port Scan
    PCFlank Port Scan and Privacy Check
    mycgiserver Port Scan
    DSL Reports Port Scan
    Securitymetrics Port Scan
    GRC Port Scan take anything Gibson says with a grain of salt :rolleyes:
    Sygate Port Scan
    HackerWhacker Security Scan plus news ect
    Symantec Security Check
    Guardwall Popup Test
    Qualys Browser Staelth Test (you pass this with a local host proxylike Naviscope)
    TrendMicro Online Virus Scan

    Security Scanners
    Microsoft Baseline Security Analyzer V1.1
    Microsoft Personal Security Advisor

    my NetWatchman
    advICE database
    SANS Knowledge Base
    Cheapbox Linux Firewall
    Tutorial Linkfarm
    Disabling VBS scripts from automatically running

    Wilders Security Forum one of the best
    SANS security forums This is the big leagues (SysAdmins, enterprise level)
    Computer Cops Forums
    DSL Reports Security Forum

    Beyond that there is Network topology, Multiple Operating Systems and Guardians, Packet Sniffers, inspectors and Intrusion detection
    Bastille Linux Linux Hardening scripts
  4. Ice Czar

    Ice Czar Guest

    Virus Wars
    a sort of pedestrian crystal ball artical at PC Magazine

    but with a few highlights here and there
  5. Ice Czar

    Ice Czar Inscrutable

    Jul 8, 2001
  6. Ice Czar

    Ice Czar Inscrutable

    Jul 8, 2001
    a rootkit will hide a virus or spyware from any scan
    if something is constantly reappearing, a good bet is you have a rootkit somewhere
    warez & crackers are a favored means to get a rootkit on a box
    questionable freeware or compromised freeware too, your placing trust everytime you hit an .exe
Thread Status:
Not open for further replies.