how secure is your windows systems? system... · how secure are your windows systems? ua security...
TRANSCRIPT
![Page 1: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/1.jpg)
How secure are your Windows systems?
UA Security Awareness DayNovember 5, 2004
Rusma MulyadiPaul Tate
![Page 2: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/2.jpg)
Agenda
Sophos’ 10 Latest VirusesBotnetsCommon worms propagation methodsNetwork + Host based detectionsManual removals*Defense-in-depthQuestions + contact infoReferences
![Page 3: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/3.jpg)
Sophos’ 10 Latest Viruses
November 3rd, 2004(Ago|for|gt|phat|r|rx|sd)botEmail and P2P wormsInfected machines since April’04:
Approx. 1800 unique hosts*
*multiple infections, only border NIDS
![Page 4: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/4.jpg)
What is a botnet?Mostly from a slide by John Kristoff – NANOG32An army of compromised hosts (bots)Under a common command and control (c&c):
Commonly IRC-basedP2P – Phatbot
The bot:Servant code, exploit and attack tools
The purpose:DoS, id theft, keyloggers, phishing, spamFor fun and profit
![Page 5: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/5.jpg)
Rbot Commands
<@pwnz> .findpass<dark> [FINDPASS]: The Windows logon (Pid: <111>) information is: Domain: \\Windows, User: (Bill Gates/(no password)).
<@pwnz> .capture screen C:\Screenshot.jpg<dark> [CAPTURE]: Screen capture saved to: C:\Screenshot.jpg. http://jayzafool.com/commands.html
![Page 6: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/6.jpg)
Rbot Commands – Scans
![Page 7: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/7.jpg)
Rbot Commands – Attacks
![Page 8: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/8.jpg)
What are the propagation methods?
Vulnerable servicesRPC-DCOM (MS04-012, MS03-039, MS03-026)
LSASS (MS04-011)
Web browsers (IE, Mozilla, etc.)
Weak passwords (incl. MS-SQL)Emails: MyDoom, BeaglePeer-to-Peer
![Page 9: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/9.jpg)
SANS Top 10 Windows Vuln.http://www.sans.org/top20
W1 Web Servers & Services W2 Workstation Service W3 Windows Remote Access Services W4 Microsoft SQL Server (MSSQL) W5 Windows Authentication W6 Web Browsers W7 File-Sharing Applications W8 LSAS Exposures W9 Mail Client W10 Instant Messaging
![Page 10: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/10.jpg)
Detections – Network-level
Network-based IDS & RNAHOST SYN SWEEP to TCP 80,135,139,445,1025,3127,6129…Worm specific signaturesAbnormal FTP ports
Network slowness reports – PacketeerDoS launched by controlled bots
Network audits – nmap, nessus, custom scriptsInternal and external reports
![Page 11: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/11.jpg)
Do these look familiar?
Windows + TCP 113USERID : UNIX : glniyvelUSERID : UNIX : ketz
FTPd on abnormal ports220 StnyFtpd 0wns j0220 Serv-U FTP-Server v2.5i for WinSock ready...220 Serv-U FTP Server v4.0 for WinSock ready... 220 Bot Server (Win32)
![Page 12: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/12.jpg)
How about this?
![Page 13: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/13.jpg)
Detections – Host-level
Personal Firewalls alertsAnti-Virus softwareAdware/Spyware detection
Spybots Search & Destroy, Ad-Aware, HijakThis, BHODemon
File integrity tools: md5sumStrange system behaviors
![Page 14: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/14.jpg)
Personal FW – Outgoing alerts
![Page 15: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/15.jpg)
Personal FW – Incoming alerts
![Page 16: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/16.jpg)
Strange behaviors – new listening ports
![Page 17: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/17.jpg)
Manual removal*
Find the malicious processNetstat: (Windows XP SP2)
-a: displays all connections and listening ports.-b: includes executables-v: more verbose (with –b)-n: no address/port resolution-o: displays PID so you can match it task manager
Fport: http://www.foundstone.com/ActivePorts: http://www.ntutility.com/freewareTaskInfo: http://www.iarsn.com/taskinfo.html
![Page 18: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/18.jpg)
Manual removal…*
Is it a legitimate service ports?http://www.iana.org/assignments/port-numbershttp://www.dshield.org/port_report.phphttp://www.neohapsis.com/neolabs/neo-ports/neo-ports.html
Is it a legitimate system files?md5sum – http://www.etree.org/md5com.htmlNIST Checksum DB –https://www.sirt.arizona.edu/checksumcheck/SearchbyFile.php
![Page 19: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/19.jpg)
Manual removal…*Terminate the malicious process (e.g. pskill -http://www.sysinternals.com)Find & delete the malware:
Hidden files/folders Hidden operating system files
Clean up registry keysCheck AV vendors’ website for similar worm/virus variantsReboot and validate!Total SYSTEM REBUILD when necessary
![Page 20: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/20.jpg)
Manual removal…* Places programs load from
Start Menu – Startup GroupAutorun.infRegistry
"Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to re-install Windows to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk."
HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesEach user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[codenumber]\Software\Microsoft\Windows\CurrentVersion\Run\HKU\[codenumber]\Software\Microsoft\Windows\CurrentVersion\RunServices\
![Page 21: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/21.jpg)
Manual removal…* Places programs load from…
Browser Helper Objects
BHO demon
![Page 22: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/22.jpg)
Manual removal…* Places programs load from…
Internet Explorer Helper Objects
Tools->Internet optionsClick on the “Settings” button
![Page 23: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/23.jpg)
Manual removal…* Places programs load from…
Internet Explorer Helper ObjectsClick on the “View Objects…”button
![Page 24: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/24.jpg)
Manual removal…* Places programs load from…
Internet Explorer Helper ObjectsRight Click on each object to see what it belongs to.
![Page 25: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/25.jpg)
Manual removal…* Places programs load from…
Internet Explorer Helper Objects
Code base sort of helps
![Page 26: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/26.jpg)
Defense-in-depth Network layer
Router ACL & RACLFirewall & NIDS Vulnerability scanners
Nessus – www.nessus.orgSARA – http://www-arc.com/sara/Nikto – web server scanner
http://www.cirt.net/code/nikto.shtml
Careful scans – consult/notify SIRT ☺
![Page 27: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/27.jpg)
Defense-in-depth Host layer
Patch, patch, patch… ☺Host-based firewall – KerioHost-based IDS and anomaly detectionAnti Virus software – Sophos AV
![Page 28: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/28.jpg)
Defense-in-depth Host layer
Spyware/Adware detection toolsSpybots Search & Destroy, Ad-Aware, HijakThis, BHODemon
Know your systemsBackups
Make sure you test it!In case you need it.
![Page 29: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/29.jpg)
Knowing your systems
Only run necessary services
Disable UPnPTurn off Remote Assistance and Desktop Sharing
![Page 30: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/30.jpg)
Knowing your systems…Understand ‘default’ configurations
Anonymous access – Null sessionsHKLM\SYSTEM\CurrentControlSet\Control\LsaSet “RestrictAnonymous” to 2GPO
Disable “Network Access: Let Everyone permissions apply to anonymous users”Enable “Network Access: Do not allow anonymous enumeration of SAM accounts and shares”Disable “Allow anonymous SID/Name translation”
Default sharesHKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parametersAdd AutoShareServer –Dword value 0
Default passwords and user accountsBlank passwords, unused accounts
![Page 31: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/31.jpg)
Knowing your systems…
Strong password policy & password audits
Always use NTLM2 when possibleAdvance written permission before audits ☺
LC6, John the Ripper
![Page 32: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/32.jpg)
Knowing your systems…
Host-level auditsWritten audit procedures are always GOODChecks for abnormal behaviorsFree command line tools + SMOPCheck your logs…
The Top 10 Log Entries that Show You’ve Been Hacked
http://loganalysis.org/news/tutorials/index.html
![Page 33: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/33.jpg)
Knowing your systems…Host-level audits…
Foundstone’s Forensics Toolkits & fporthttp://www.foundstone.com/resources/freetools.htmSomarsoft Utilities – Dump(sec|evt|reg) http://www.somarsoft.com/PSTools -http://www.sysinternals.com/ntw2k/freeware/pstools.shtmlWindows Resource Kits
![Page 34: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/34.jpg)
Defense-in-depth YOU-ARE-IT!
Review your logs!! – did I just say it again? End-user education
http://security.arizona.edu/awareness.htmlhttp://www.cert.org/homeusers/
Policies and proceduresU of A Acceptable Use of Computers and Networks
http://security.arizona.edu/policies-guidelines.htmlDepartmental guides & policies
FSO - http://www.fso.arizona.edu/fso/computing/policies.aspRescomp - http://www.rescomp.arizona.edu/guides/aup.php
Information sharingSIRT-discuss + NetdiscussSend samples to AV vendors
![Page 35: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/35.jpg)
Conclusions
It’s a WILD networkLayered of defensesYOU-ARE-IT!
![Page 36: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/36.jpg)
Questions + contacts info
Feedbacks?Rusma Mulyadi – [email protected] Tate – [email protected] Team – [email protected]
![Page 37: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/37.jpg)
Referenceshttp://sophos.comhttp://www.merit.edu/~nanog/mtg-0410/pdf/kristoff.pdfhttp://jayzafool.com/commands.html
http://www.lurhq.com/phatbot.htmlhttp://www.sans.org/top20
![Page 38: How secure is your Windows systems? system... · How secure are your Windows systems? UA Security Awareness Day November 5, 2004 Rusma Mulyadi Paul Tate](https://reader033.vdocument.in/reader033/viewer/2022050405/5f8246c3de372c36bf48dfe4/html5/thumbnails/38.jpg)
Useful resourceshttps://www.sirt.arizona.edu/page.php?page=seclinkhttps://www.sirt.arizona.edu/page.php?page=secOshttp://security.arizona.edu/http://sitelicense.arizona.eduSpybots Search & Destroy: http://beam.to/spybotsdAd-Aware: http://www.lavasoftusa.com/HijakThis: http://www.spywareinfo.com/~merijnBHODemon: http://www.definitivesolutions.comhttp://loganalysis.org/