when your dog can’t help you: malware in the home stephen rondeau institute of technology 7 may...
TRANSCRIPT
![Page 1: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/1.jpg)
When Your Dog Can’t Help You:Malware in the Home
Stephen Rondeau
Institute of Technology
7 May 2008
![Page 2: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/2.jpg)
Home Scenario
• Effect 1• Effect 2• Effect 3• Effect 4• Effect 5• Effect 6• Effect 7
![Page 3: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/3.jpg)
In Dog We Trust
• Dogs:– are better than us, in these senses:
• smell, seeing (in dark and movement), hearing
– can detect differences quickly– may bark to alert us of differences– can scare, chase away, or harm other animals– are great as home monitors and defenders
![Page 4: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/4.jpg)
Schank’s For the Memory
• We learn/follow scripts in various situations– We and others play roles in script
• Scripts are stereotyped sequence of actions
• We summon a script for a given situation
• Leads to expectations of things to occur• Roger Schank & Robert Abelson, Scripts, Plans,
Goals, and Understanding: An Inquiry Into Human Knowledge Structures, Lawrence Erlbaum, 1977
![Page 5: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/5.jpg)
Scripting the Night: Fantastic!
– Determine If Something Is “Wrong”– Form Idea of What May Have Happened– Arm Yourself/Prepare to Raise Alarm/Hide– Locate the Source/Follow the Evidence– Observe/Confirm Suspicions– Disarm/Contain, Scare Away or Remove the Intruder– Block/Monitor Means of Entry– Determine What Was Removed, Damaged, Left Behind– Replace, Clean/Fix, Remove
![Page 6: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/6.jpg)
Is Something “Wrong”?
• Implies knowing what is “right”– know your system in terms of:
• authorized users
• valid services and applications, especially those using network
• how much time some programs take to run
• how long it normally takes to download something
• what files you have or disk space you use
• in short, look for anomalies in:– users, running programs, performance, network traffic,
and file space
![Page 7: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/7.jpg)
What May Have Happened
• Did you or someone you trust recently…– add a new user account?– add a user to the Administrators group?– use a weak password?– install some new software?– use a floppy, USB drive or CD/DVD?– forget to:
– patch Windows?– update antivirus?– turn on firewall?
![Page 8: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/8.jpg)
Arm Yourself/Raise Alarm/Hide
– Light the way– Be familiar with some (XP) tools to:
• determine baseline (MS Baseline Security Analyzer)• detect problems (spyware/antivirus scan)• show user accounts (net user)• show privileges (net localgroup administrators)• show or kill processes (tasklist, taskkill; sysinternals procexp)• manage services (sc; services.msc)• show scheduled tasks (schtasks)• list files by date of last modification (dir /od)
– Search for suspicious files and services on web– Should use external tools, like www.e-fense.com/helix
![Page 9: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/9.jpg)
Locate Source/Follow Evidence
• Where's the problem? Look in:• c:\windows; c:\windows\system32 (dir /od)• registry (regedit)• startup locations (sysinternals autoruns)• network ports (netstat –anob; sysinternals tcpview)• hidden files (dir /ah)• recycle bin (dir /a)• chronology of events in logs (eventvwr)
• Look for current activity as well as past
![Page 10: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/10.jpg)
Observe/Confirm Suspicions
• Gather information– Watch processes (sysinternals procexp)
• look at strings in executable file• look at strings in process memory
– Watch files (sysinternals filemon)• look at strings in executable files (sysinternals
strings)– Watch network (sysinternals tcpview)
• look for listening ports• look for foreign connections
![Page 11: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/11.jpg)
Disarm/Contain/Remove
• Immediately close means of entry• unplug network• disable wireless• remove all removable media• check for hardware keystroke loggers
• Run full malware scan and remove (e.g., police)• Search for observed entities on web
– to find ways to remove manually, and remove
• Remove ways to re-infect at startup (e.g., unlocked)• Restart after all of the above to kill all remaining
![Page 12: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/12.jpg)
Block/Monitor Means of Entry
• Major entry points/vectors to block/monitor– users allowed on the system
• audit successful and failed logins – CP/Adm tools/Local Sec Set/Local Policies/Audit Policy
• monitor logs (eventvwr)• do not provide administrator privileges to users• disable accounts when not in use
– network• disable network when not in use (netsh interface set interface)• firewall, with logging of attempts (netsh firewall)
– removable media• turn off autoruns of inserted media• on-demand antivirus scan on read; review antivirus logs
![Page 13: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/13.jpg)
What Was Removed,Damaged, Left Behind
• Make list of what you have before incident– have to keep up to date if upgrading OS– backups, file integrity tools (osiris)
• If possible, make offline copy of disk first and use it• Compare current to saved list/backups• Search web for suspicious files• Ensure up to date antivirus (AV) signatures
– Scan disk for viruses, possibly with a few AVs
• If root kit installed, might have to:– boot Helix/SysResCD/FIRE CD to mount read-only and inspect
Windows drive
![Page 14: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/14.jpg)
Replace, Clean/Fix, Remove
• Safest thing to do: format and re-install OS– disconnect from net first– use another computer to download patches
• apply patches
– re-establish any blocks for entry done before
• Sometimes can replace files, remove services (sc), delete files, etc.– safest is to do it from Linux CD with Windows disk in
read/write mode
• Don’t forget applications may allow re-infecting– might need to uninstall and re-install from original media
![Page 15: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/15.jpg)
Conclusion
• Being more secure and staying that way is not simple
• Know your system• Establish a baseline and keep it updated• Use a script to investigate suspicious
incidents• Don’t blame your dog for not warning you
![Page 16: When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008](https://reader038.vdocument.in/reader038/viewer/2022110211/56649eda5503460f94be9723/html5/thumbnails/16.jpg)
Credits
– “Hotel California”: Eagles– Windows XP Start: Microsoft– “Stranger in My House”: Ronnie Milsap– “Who Are You?”: The Who– “Every Breath You Take”: The Police– “We’re All Alone”: Boz Scaggs– “Brahms Lullaby”: S. Stefano Protomartire