When Your Dog Can’t Help You:Malware in the Home

Stephen Rondeau

Institute of Technology

7 May 2008

Home Scenario

• Effect 1• Effect 2• Effect 3• Effect 4• Effect 5• Effect 6• Effect 7

In Dog We Trust

• Dogs:– are better than us, in these senses:

• smell, seeing (in dark and movement), hearing

– can detect differences quickly– may bark to alert us of differences– can scare, chase away, or harm other animals– are great as home monitors and defenders

Schank’s For the Memory

• We learn/follow scripts in various situations– We and others play roles in script

• Scripts are stereotyped sequence of actions

• We summon a script for a given situation

• Leads to expectations of things to occur• Roger Schank & Robert Abelson, Scripts, Plans,

Goals, and Understanding: An Inquiry Into Human Knowledge Structures, Lawrence Erlbaum, 1977

Scripting the Night: Fantastic!

– Determine If Something Is “Wrong”– Form Idea of What May Have Happened– Arm Yourself/Prepare to Raise Alarm/Hide– Locate the Source/Follow the Evidence– Observe/Confirm Suspicions– Disarm/Contain, Scare Away or Remove the Intruder– Block/Monitor Means of Entry– Determine What Was Removed, Damaged, Left Behind– Replace, Clean/Fix, Remove

Is Something “Wrong”?

• Implies knowing what is “right”– know your system in terms of:

• authorized users

• valid services and applications, especially those using network

• how much time some programs take to run

• how long it normally takes to download something

• what files you have or disk space you use

• in short, look for anomalies in:– users, running programs, performance, network traffic,

and file space

What May Have Happened

• Did you or someone you trust recently…– add a new user account?– add a user to the Administrators group?– use a weak password?– install some new software?– use a floppy, USB drive or CD/DVD?– forget to:

– patch Windows?– update antivirus?– turn on firewall?

Arm Yourself/Raise Alarm/Hide

– Light the way– Be familiar with some (XP) tools to:

• determine baseline (MS Baseline Security Analyzer)• detect problems (spyware/antivirus scan)• show user accounts (net user)• show privileges (net localgroup administrators)• show or kill processes (tasklist, taskkill; sysinternals procexp)• manage services (sc; services.msc)• show scheduled tasks (schtasks)• list files by date of last modification (dir /od)

– Search for suspicious files and services on web– Should use external tools, like www.e-fense.com/helix

Locate Source/Follow Evidence

• Where's the problem? Look in:• c:\windows; c:\windows\system32 (dir /od)• registry (regedit)• startup locations (sysinternals autoruns)• network ports (netstat –anob; sysinternals tcpview)• hidden files (dir /ah)• recycle bin (dir /a)• chronology of events in logs (eventvwr)

• Look for current activity as well as past

Observe/Confirm Suspicions

• Gather information– Watch processes (sysinternals procexp)

• look at strings in executable file• look at strings in process memory

– Watch files (sysinternals filemon)• look at strings in executable files (sysinternals

strings)– Watch network (sysinternals tcpview)

• look for listening ports• look for foreign connections

Disarm/Contain/Remove

• Immediately close means of entry• unplug network• disable wireless• remove all removable media• check for hardware keystroke loggers

• Run full malware scan and remove (e.g., police)• Search for observed entities on web

– to find ways to remove manually, and remove

• Remove ways to re-infect at startup (e.g., unlocked)• Restart after all of the above to kill all remaining

Block/Monitor Means of Entry

• Major entry points/vectors to block/monitor– users allowed on the system

• audit successful and failed logins – CP/Adm tools/Local Sec Set/Local Policies/Audit Policy

• monitor logs (eventvwr)• do not provide administrator privileges to users• disable accounts when not in use

– network• disable network when not in use (netsh interface set interface)• firewall, with logging of attempts (netsh firewall)

– removable media• turn off autoruns of inserted media• on-demand antivirus scan on read; review antivirus logs

What Was Removed,Damaged, Left Behind

• Make list of what you have before incident– have to keep up to date if upgrading OS– backups, file integrity tools (osiris)

• If possible, make offline copy of disk first and use it• Compare current to saved list/backups• Search web for suspicious files• Ensure up to date antivirus (AV) signatures

– Scan disk for viruses, possibly with a few AVs

• If root kit installed, might have to:– boot Helix/SysResCD/FIRE CD to mount read-only and inspect

Windows drive

Replace, Clean/Fix, Remove

• Safest thing to do: format and re-install OS– disconnect from net first– use another computer to download patches

• apply patches

– re-establish any blocks for entry done before

• Sometimes can replace files, remove services (sc), delete files, etc.– safest is to do it from Linux CD with Windows disk in

read/write mode

• Don’t forget applications may allow re-infecting– might need to uninstall and re-install from original media

Conclusion

• Being more secure and staying that way is not simple

• Know your system• Establish a baseline and keep it updated• Use a script to investigate suspicious

incidents• Don’t blame your dog for not warning you

Credits

– “Hotel California”: Eagles– Windows XP Start: Microsoft– “Stranger in My House”: Ronnie Milsap– “Who Are You?”: The Who– “Every Breath You Take”: The Police– “We’re All Alone”: Boz Scaggs– “Brahms Lullaby”: S. Stefano Protomartire