Presentation is loading. Please wait.

Presentation is loading. Please wait.

So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,

Published byRigoberto Shum Modified over 10 years ago

Similar presentations

Presentation on theme: "So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,"— Presentation transcript:

1 So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen ballen@wustl.edu Network Security Analyst, Washington University in St. Louis http://nso.wustl.edu/presentations/ Copyright Brian Allen 2009. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 NSS NSO Business School Law School Arts & Sciences Medical School Engineering School Internets Decentralized Campus Network NSS = Network Services and Support NSO = Network Security Office Library Social Work Art & Architecture IS&T

3 Tools SecCheck Symantec Endpoint AV Ultimate Boot CD for Windows Knoppix Boot CD TrendMicro Online Scan Sysinternal Tools SpyBot Search and Destroy-Advanced Mode Clean It By Hand

4

5

6

7

8

9 We Interrupt This NSO Presentation For An Important Security Announcement

10

11

12 Knoppix Self contained and complete OS Will boot even if no hard drive Linux (command line) with a nice gui Knoppix has been around since 2000 Popular in the security community There are other Linux Live CDs ClamAV or F-Prot are free AV options

13

14

15

16 Sysinternals Tools I like Process Explorer Autoruns Process Monitor PSTools TCPView RootkitRevealer

17

18

19 Art of Cleaning It By Hand Favorite malware hideouts: c:\windows\system32, c:\windows\system, c:\windows\system32\drivers Find create and modify timestamps Start from that date look for more badness Look at the binary file attributes Rename or move each file as you go Purge every Temp directory Reboot, repeat

20 Current Threats Torpig, Mebroot - Sinowal Conficker worm Cutwail Rustock Grum virus BlackEnergy - HTTP-based botnet used primarily for DDoS attacks

21 Security Websites ThreatExpert Sandbox Virus Total Sunbelt CWSandbox Anubis Sandbox Norman Sandbox

22

23

24

25

26

27

28

29

30

31

32 Norman Email message.htm-MALWARE : INFECTED with W32/Malware (Signature: MyDoom) [ DetectionInfo ] * Filename: C:\analyzer\scan\message.htm-MALWARE. * Signature name: MyDoom.L@mm.MyDoom.L@mm * Executable type: Application. [ Changes to filesystem ] * Creates file C:\WINDOWS\TEMP\zincite.log. [ Changes to registry ] * Accesses Registry key "HKLM\Software\Microsoft\Daemon". [ Network services ] * Looks for an Internet connection. [ Process/window information ] * Creates process "services.exe"". * Will automatically restart after boot (I'll be back...).

33 Case Study Dear user, We have received reports that your account has been used to send a large amount of spam messages during the last week. We suspect that your computer had been infected by a recent virus and now contains a hidden proxy server. Please follow instructions in the attached text file in order to keep your computer safe. Best wishes, The WUSTL.EDU team.

34

35 NO! DON’T CLICK ON IT!

36 So Your Computer Is Infected, Now What?

37

38

39

40

41

42

43

44 Clean vs Rebuild? Pros/Cons Discussion

45 Books Cryptonomicon – fiction Cuckoo's egg - nonfiction Safaribooksonline.com – free for wustl.edu

Download ppt "So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Student Laptop Program Victories and Defeats Dr. Timothy M. Chester, CIO Texas A&M University at Qatar

Student Laptop Program Victories and Defeats Dr. Timothy M. Chester, CIO Texas A&M University at Qatar
Presented by Jamie Leben IT-Works Computer Services

Presented by Jamie Leben IT-Works Computer Services
An Integrated Approach to Computer and Information Literacy Linda Ehley Alverno College Associate Professor CS EDUCAUSE 2003 Copyright – Linda Ehley 2003.

An Integrated Approach to Computer and Information Literacy Linda Ehley Alverno College Associate Professor CS EDUCAUSE 2003 Copyright – Linda Ehley 2003.
Tools for Help Desk Management: Assessment & Guidance Karen Pothering Elinor Pennsylvania State University Copyright.

Tools for Help Desk Management: Assessment & Guidance Karen Pothering Elinor Pennsylvania State University "Copyright.
What Does the Net Generation Expect From Us? SAC August 8, 2005 SAC August 8, 2005 Copyright © 2005, Joel L. Hartman. This work is the intellectual property.

What Does the Net Generation Expect From Us? SAC August 8, 2005 SAC August 8, 2005 Copyright © 2005, Joel L. Hartman. This work is the intellectual property.
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
© Copyright Computer Lab Solutions 2006. All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.

© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
Copyright Sylvia Maxwell and Michael White, 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared.

Copyright Sylvia Maxwell and Michael White, This work is the intellectual property of the author. Permission is granted for this material to be shared.
And how you can handle it.  Trojan horses  Spyware  Adware  Rootkits  Viruses  Worms Software that works without the victim’s permission.

And how you can handle it.  Trojan horses  Spyware  Adware  Rootkits  Viruses  Worms Software that works without the victim’s permission.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Windows Malware: Detection And Removal TechBytes Tim Ramsey.

Windows Malware: Detection And Removal TechBytes Tim Ramsey.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College Copyright Penn State University-2008. This work is the intellectual.

Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.

INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.
Copyright Anthony K. Holden, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Similar presentations

Ads by Google