<aside> Many people and businesses are still in the mode where they think
you can just run antivirus and walk away from the computer. With the rise
in use of Windows root kits and worms with IRC backdoors, a virus infection
can be a very grave security intrusion, and first responders like
phone-based remote help desks may not detect the intrusion if a root kit is
keeping the antivirus from seeing the files in question. This may require
changing attitudes and procedures, and fast.
It's true as stated by others that the most reliable way to handle such
compromises is to format and/or image the workstation. The problem though
is that 1) first responders and antivirus software are likely to fail to
detect the compromise, and 2) you still probably want to be able to detect
and confirm that there is a compromise before you go to the trouble of
wiping the box(es) and disabling the user(s).
ANYHOW, most of the Windows root kits known today might be visible by one of
the following methods. Most of the methods below depend on you being able
to tell normal baseline Windows behavior, though having a second identical
clean system or doing www.google.com searches might help those without such
experience determine abnormal behavior:
1. Use the command NETSTAT -A and/or the free Fport tool from
www.foundstone.com/knowledge to look for suspicious programs, TCP/IP ports
or connections. This would detect not the root kit itself but a separate
networked program the root kit may be hiding, if there is such a program
installed. Current Windows root kits don't seem to hide information from
NETSTAT or FPORT, but this may not continue to be true of future root kits.
I know doing so is mentioned the "to do" list in the readme for the Hacker
Defender rootkit.
2. Connect to the computer across the network from another Windows computer
running peer to peer Microsoft Networking / Client for Microsoft Networks.
Run an antivirus scan of the hard drive remotely, and/or try checking the
registry entries that can start up programs or services when Windows starts,
including but not limited to
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run and
runonce, the same locations under HKEY_CURRENT_USER, and if you're brave,
HKLM\system\currentcontrolset\services, etc. etc.
3. Boot the computer or hard drive to an alternate operating system, such as
by slaving the hard drive in another Windows system or using a special boot
CD or floppy if you have the know-how. Then, do the items above, such as
run antivirus, inspect registry keys, etc.
4. Looking at firewall or IDS logs might also give clues, if you know how to
tell normal traffic from abnormal. www.sygate.com and www.kerio.com are two
more or less free personal firewall software for windows you might use in a
pinch, and www.snort.org is free IDS. Again, you'd be detecting not the
rootkit itself but a network application hidden by the rootkit, assuming
there is one.
5. Many times, root kits are detected because the intruder failed to hide
everything and left traces, such as new files. For files, registry entries
and services that are not hidden by a root kit, normal incident response
procedures can still be helpful, possibly including inspecting which files
have changed in the past day or week, running a tool that looks for file
changes such as the free SIM from www.gfi.com, inspecting or monitoring log
files, etc.
There are other things that professionals with the time and expertise might
do, but hopefully these are feasible ways for non-security professionals and
first responders to try to detect a security problem.
HTH
kind regards,
- Karl
-----Original Message-----
From: Amer Karim [mailto:amerk (at) telus (dot) net [email concealed]]
Sent: 12 August 2003 14:39
To: 'Marc Fossi'
Subject: RE: Blaster vs. Kaht2
Out of curiosity, are there any symptomatic clues as to determining if the
system has been compromised by Kaht2? I can't seem to find any info on the
Symantec site.
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
you can just run antivirus and walk away from the computer. With the rise
in use of Windows root kits and worms with IRC backdoors, a virus infection
can be a very grave security intrusion, and first responders like
phone-based remote help desks may not detect the intrusion if a root kit is
keeping the antivirus from seeing the files in question. This may require
changing attitudes and procedures, and fast.
It's true as stated by others that the most reliable way to handle such
compromises is to format and/or image the workstation. The problem though
is that 1) first responders and antivirus software are likely to fail to
detect the compromise, and 2) you still probably want to be able to detect
and confirm that there is a compromise before you go to the trouble of
wiping the box(es) and disabling the user(s).
ANYHOW, most of the Windows root kits known today might be visible by one of
the following methods. Most of the methods below depend on you being able
to tell normal baseline Windows behavior, though having a second identical
clean system or doing www.google.com searches might help those without such
experience determine abnormal behavior:
1. Use the command NETSTAT -A and/or the free Fport tool from
www.foundstone.com/knowledge to look for suspicious programs, TCP/IP ports
or connections. This would detect not the root kit itself but a separate
networked program the root kit may be hiding, if there is such a program
installed. Current Windows root kits don't seem to hide information from
NETSTAT or FPORT, but this may not continue to be true of future root kits.
I know doing so is mentioned the "to do" list in the readme for the Hacker
Defender rootkit.
2. Connect to the computer across the network from another Windows computer
running peer to peer Microsoft Networking / Client for Microsoft Networks.
Run an antivirus scan of the hard drive remotely, and/or try checking the
registry entries that can start up programs or services when Windows starts,
including but not limited to
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run and
runonce, the same locations under HKEY_CURRENT_USER, and if you're brave,
HKLM\system\currentcontrolset\services, etc. etc.
3. Boot the computer or hard drive to an alternate operating system, such as
by slaving the hard drive in another Windows system or using a special boot
CD or floppy if you have the know-how. Then, do the items above, such as
run antivirus, inspect registry keys, etc.
4. Looking at firewall or IDS logs might also give clues, if you know how to
tell normal traffic from abnormal. www.sygate.com and www.kerio.com are two
more or less free personal firewall software for windows you might use in a
pinch, and www.snort.org is free IDS. Again, you'd be detecting not the
rootkit itself but a network application hidden by the rootkit, assuming
there is one.
5. Many times, root kits are detected because the intruder failed to hide
everything and left traces, such as new files. For files, registry entries
and services that are not hidden by a root kit, normal incident response
procedures can still be helpful, possibly including inspecting which files
have changed in the past day or week, running a tool that looks for file
changes such as the free SIM from www.gfi.com, inspecting or monitoring log
files, etc.
There are other things that professionals with the time and expertise might
do, but hopefully these are feasible ways for non-security professionals and
first responders to try to detect a security problem.
HTH
kind regards,
- Karl
-----Original Message-----
From: Amer Karim [mailto:amerk (at) telus (dot) net [email concealed]]
Sent: 12 August 2003 14:39
To: 'Marc Fossi'
Subject: RE: Blaster vs. Kaht2
Out of curiosity, are there any symptomatic clues as to determining if the
system has been compromised by Kaht2? I can't seem to find any info on the
Symantec site.
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
[ reply ]