![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
I
Ice Czar
Guest
The Security FAQ in progress
1st eliminate spyware hijackware as the possible cause
unless you have reason to beleive its more serious
The Antivirus Defense-in-Depth Guide
Review Schadenfroh's excellent Spyware Removal Guide
and Junkware 101 @ overclockinghq
My old outline follows
Frist run Adaware (freeware edition), Spybot (freeware)
and CWShredder (freeware) CWTrojan removal tool a which is common hijack mechanism
then run HijackThis (freeware)
Iamnotageek now has an automated Hijack This analyzer
you can also post your log at Spywareinfo forums read the FAQ 1st
HijackThis reports classes of aps, processes and registry keys where hijackware gets entered
legitimate aps and malware are both reported, so you need to know the difference
after they help you get cleaned up
make a note of which aps have vaild entries (make a copy of the legitimate log file)
and run hijackthis after you install legitimate software so you can note new entries
(replace the copy of the legitimate logfile)
its then real easy to spot new invalid entries
a more serious infection requires more serious tools,
Do an online scan at TrendMico or Symantec (or both)
the first thing most malware will do once its past whatever defense you have is circumvent the firewall and antivirus scanners\monitors,
it can do this because its hard coded to look for a program in its default location, or it can attack the process directly (see following post)
since your scanning remotely your thus circumventing the cirumventing
however Id still follow the following proceedure
Installation Note
install all the security aps to nondefault directories
as in if it wants to install to C:/TDS-3,
say no and install it to a folder you make like
C:/pH33rNo3ViL/Trojan3
Then install the trial of Process Guard
it will detect any process the 1st time it runs and you have to approve it
you might be able to catch the malware right there trying to circumvent a security ap install, its recently changed how it installs by default, so now you need to switch off learning mode and remove evrything its "learned", then it will give you a each process as it tries to run
Download and trial
NOD32 (or another AV Scanner) 2nd Choice Kaspersky
TDS-3 (or another Trojan Scanner) 2nd Choics TrojanHunter
Port Explorer (or another Firewall monitor, not the one you currently have)
A Firewall, a different one than you currently have as its likely compromised
Scanning and Configuration
NOD32
Installation Guide (PDF)
to configure AMON click the white floppy disk icon with the red cross on it that is in your taskbar then > setup > accept the defaults
for NOD32 > Start > Programs > Eset > NOD32 > Setup Tab > Accept the Defaults
Download the latest Definitions and do a full scan
also grab a registry monitor and a filechecker that monitors your security exe for changes
------------------------------------------------------------------------------------------------------------------------------
a personal security software list
Scanners
NOD32
TDS-3 (with exe protection)
Execution Protection\Patches
WormGuard (with exe protection)
WSH Anti-Polymorphism Patch (freeware)
AnalogX Script Defender (freeware)
Symantec's noscript.exe (toggle on and off WSH) thanx OldMX
Spyware Blaster
Monitors\firewalls
PortExplorer
Process Guard
Kerio Personal Firewall2 (was freeware) supplements hardware NAT
Taskinfo 2003
RegistryProt (freeware)
Filehecker (freeware) a monitor for critical system files
Filters
Pest Patrol
Proxomitron (freeware)
CookieWall (freeware)
SpywareGuard (freeware)
BHODemon (freeware)
Spyware Removal
AdAware (freeware)
SpyBot Search and Destroy (freeware)
HijackThis (freeware)
CWShredder (freeware) CWTrojan removal tool
MRU Blaster not spyware per se this however cleans Most Recently Used Lists, info Spyware can tap into
Checksums
Haxial Hash (freeware)
fsum (freeware)
______________________________________________________
then get serious about your config and security audits
investigate setting up a dedicated Intrusion Detection box
rampant paranoia 101
my checklist
---------------------------------------------------------------
install Service Pack and hotfixes
Cofigure IPSec
Retrict access to LSA info
disable unecessary services
disable Guest account
setup my user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts
remove the "Everyone" group and replace with "Authenticated Users" shares
disable default hidden shares, administrative shares, IPC$
disable HTML in e-mail
disable ActiveX
disabling or limiting WHS\VB\Java\Java Scripts (install, Script Defender, noscript.exe)
rename shscrap.dll to shscrapold;
Unhide File extensions, protected files, all files and folders
Enable Encrypted File System
Encrypt the Temp Directory
setup to clear the paging file at shutdown
lockdown the registry
disable dumpfile creation
remove insecure subsystems (OS/2 and POSIX)
protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor
these all make it much harder for someone that has already compromised your computer
if there is a brain behind the attack (a hack or trojan) then they would need to reenable these if they can, which might tip their hand, the same goes for an automated attack like a worm, if it could manage it at all, and many more minor peices of malware\spyware, rely on some of these for infection or more accurately reinfection like runonce.exe, regedit, ect or as the vector for infection in more serious malware like ftp or telnet
Install and schedual trojan scanner, anti virus and intrusion detection
Install and configure ProcessGuard <<<<<<!!!!!
Install Firefox with the noscript extention, secure Internet Explorer and Lockout access to it with NTFS Permissions to all accounts other than the Administrative Account
configure security policy control
enable auditing (logon, object, privilege, account management, policy, system)
set permissions on the security event log
set account lockout policy
assign user rights
set security options
configure firewall
baseline Rootreveler
>>>>>>>>> connect to the internet
Test
Run Baseline Security Analyzer (freeware)
Run NessusWX (freeware)
Do multiple remote Port Scans
Software Install
install other software and baseline HijackThis & RootRevealer after each
Disable Restore Points (if XP) and Ghost the install
Its extremely rare any one box would get all of those
but I consider all of them
--------------------------------------------------------------------------------------------------------------------------------
then Ideally hook it up behind a hardware firewall and montior traffic into and out if the box with an IDS tap like SNORT
--------------------------------------------------------------------------------------------------------------------------------
My Security Linkfarm at Radified
In bad need of an update
______________________________________________________
A conversation with Lance Spitzner, Sun Microsystems senior security architect
and a founder of the Honeynet Project
a Honeynet (or pot) is a system that is bait for intrusion so it can be detected, monitored, mined for data and techniques
and eventually deflected, causing no harm from it, not an easy thing to do, considering the intruder has "root"
Excerpted Transcript
Used with permission from both Lance Spitzner and Dana Greenlee Producer and co-host of the WebTalkGuys
but she is a Lady, and very nice one for letting me do this
and of course Lance for taking time out to give me permission and answer a few questions.
We join the discussion of Honeynets in the middle here
1st eliminate spyware hijackware as the possible cause
unless you have reason to beleive its more serious
The Antivirus Defense-in-Depth Guide
Review Schadenfroh's excellent Spyware Removal Guide
and Junkware 101 @ overclockinghq
My old outline follows
Frist run Adaware (freeware edition), Spybot (freeware)
and CWShredder (freeware) CWTrojan removal tool a which is common hijack mechanism
then run HijackThis (freeware)
Iamnotageek now has an automated Hijack This analyzer
you can also post your log at Spywareinfo forums read the FAQ 1st
HijackThis reports classes of aps, processes and registry keys where hijackware gets entered
legitimate aps and malware are both reported, so you need to know the difference
after they help you get cleaned up
make a note of which aps have vaild entries (make a copy of the legitimate log file)
and run hijackthis after you install legitimate software so you can note new entries
(replace the copy of the legitimate logfile)
its then real easy to spot new invalid entries
a more serious infection requires more serious tools,
Do an online scan at TrendMico or Symantec (or both)
the first thing most malware will do once its past whatever defense you have is circumvent the firewall and antivirus scanners\monitors,
it can do this because its hard coded to look for a program in its default location, or it can attack the process directly (see following post)
since your scanning remotely your thus circumventing the cirumventing
however Id still follow the following proceedure
Installation Note
install all the security aps to nondefault directories
as in if it wants to install to C:/TDS-3,
say no and install it to a folder you make like
C:/pH33rNo3ViL/Trojan3
Then install the trial of Process Guard
it will detect any process the 1st time it runs and you have to approve it
you might be able to catch the malware right there trying to circumvent a security ap install, its recently changed how it installs by default, so now you need to switch off learning mode and remove evrything its "learned", then it will give you a each process as it tries to run
Download and trial
NOD32 (or another AV Scanner) 2nd Choice Kaspersky
TDS-3 (or another Trojan Scanner) 2nd Choics TrojanHunter
Port Explorer (or another Firewall monitor, not the one you currently have)
A Firewall, a different one than you currently have as its likely compromised
Scanning and Configuration
NOD32
Installation Guide (PDF)
to configure AMON click the white floppy disk icon with the red cross on it that is in your taskbar then > setup > accept the defaults
for NOD32 > Start > Programs > Eset > NOD32 > Setup Tab > Accept the Defaults
Download the latest Definitions and do a full scan
also grab a registry monitor and a filechecker that monitors your security exe for changes
------------------------------------------------------------------------------------------------------------------------------
a personal security software list
Scanners
NOD32
TDS-3 (with exe protection)
Execution Protection\Patches
WormGuard (with exe protection)
WSH Anti-Polymorphism Patch (freeware)
AnalogX Script Defender (freeware)
Symantec's noscript.exe (toggle on and off WSH) thanx OldMX
Spyware Blaster
Monitors\firewalls
PortExplorer
Process Guard
Kerio Personal Firewall2 (was freeware) supplements hardware NAT
Taskinfo 2003
RegistryProt (freeware)
Filehecker (freeware) a monitor for critical system files
Filters
Pest Patrol
Proxomitron (freeware)
CookieWall (freeware)
SpywareGuard (freeware)
BHODemon (freeware)
Spyware Removal
AdAware (freeware)
SpyBot Search and Destroy (freeware)
HijackThis (freeware)
CWShredder (freeware) CWTrojan removal tool
MRU Blaster not spyware per se this however cleans Most Recently Used Lists, info Spyware can tap into
Checksums
Haxial Hash (freeware)
fsum (freeware)
______________________________________________________
then get serious about your config and security audits
investigate setting up a dedicated Intrusion Detection box
rampant paranoia 101
my checklist
---------------------------------------------------------------
install Service Pack and hotfixes
close the vulnerable NetBIOS ports and cleanup bindings
Cofigure IPSec
Retrict access to LSA info
disable unecessary services
disable Guest account
setup my user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts
remove the "Everyone" group and replace with "Authenticated Users" shares
disable default hidden shares, administrative shares, IPC$
disable HTML in e-mail
disable ActiveX
disabling or limiting WHS\VB\Java\Java Scripts (install, Script Defender, noscript.exe)
rename shscrap.dll to shscrapold;
Unhide File extensions, protected files, all files and folders
Enable Encrypted File System
Encrypt the Temp Directory
setup to clear the paging file at shutdown
lockdown the registry
disable dumpfile creation
remove insecure subsystems (OS/2 and POSIX)
protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor
these all make it much harder for someone that has already compromised your computer
if there is a brain behind the attack (a hack or trojan) then they would need to reenable these if they can, which might tip their hand, the same goes for an automated attack like a worm, if it could manage it at all, and many more minor peices of malware\spyware, rely on some of these for infection or more accurately reinfection like runonce.exe, regedit, ect or as the vector for infection in more serious malware like ftp or telnet
Install and schedual trojan scanner, anti virus and intrusion detection
Install and configure ProcessGuard <<<<<<!!!!!
Install Firefox with the noscript extention, secure Internet Explorer and Lockout access to it with NTFS Permissions to all accounts other than the Administrative Account
configure security policy control
enable auditing (logon, object, privilege, account management, policy, system)
set permissions on the security event log
set account lockout policy
assign user rights
set security options
configure firewall
baseline Rootreveler
>>>>>>>>> connect to the internet
Test
Run Baseline Security Analyzer (freeware)
Run NessusWX (freeware)
Do multiple remote Port Scans
Software Install
install other software and baseline HijackThis & RootRevealer after each
Disable Restore Points (if XP) and Ghost the install
Its extremely rare any one box would get all of those
but I consider all of them
--------------------------------------------------------------------------------------------------------------------------------
then Ideally hook it up behind a hardware firewall and montior traffic into and out if the box with an IDS tap like SNORT
--------------------------------------------------------------------------------------------------------------------------------
My Security Linkfarm at Radified
In bad need of an update
______________________________________________________
A conversation with Lance Spitzner, Sun Microsystems senior security architect
and a founder of the Honeynet Project
a Honeynet (or pot) is a system that is bait for intrusion so it can be detected, monitored, mined for data and techniques
and eventually deflected, causing no harm from it, not an easy thing to do, considering the intruder has "root"
Excerpted Transcript
Used with permission from both Lance Spitzner and Dana Greenlee Producer and co-host of the WebTalkGuys
but she is a Lady, and very nice one for letting me do this
and of course Lance for taking time out to give me permission and answer a few questions.
We join the discussion of Honeynets in the middle here
