1. When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008

2. Home Scenario Effect 1 Effect 2 Effect 3 Effect 4 Effect 5 Effect 6 Effect 7

3. In Dog We Trust Dogs: – are better than us, in these senses: smell, seeing (in dark and movement), hearing –can detect differences quickly –may bark to alert us of differences –can scare, chase away, or harm other animals –are great as home monitors and defenders

4. Schank’s For the Memory We learn/follow scripts in various situations –We and others play roles in script Scripts are stereotyped sequence of actions We summon a script for a given situation Leads to expectations of things to occur Roger Schank & Robert Abelson, Scripts, Plans, Goals, and Understanding: An Inquiry Into Human Knowledge Structures, Lawrence Erlbaum, 1977

5. Scripting the Night: Fantastic! –Determine If Something Is “Wrong” –Form Idea of What May Have Happened –Arm Yourself/Prepare to Raise Alarm/Hide –Locate the Source/Follow the Evidence –Observe/Confirm Suspicions –Disarm/Contain, Scare Away or Remove the Intruder –Block/Monitor Means of Entry –Determine What Was Removed, Damaged, Left Behind –Replace, Clean/Fix, Remove

6. Is Something “Wrong”? Implies knowing what is “right” –know your system in terms of: authorized users valid services and applications, especially those using network how much time some programs take to run how long it normally takes to download something what files you have or disk space you use in short, look for anomalies in: –users, running programs, performance, network traffic, and file space

7. What May Have Happened Did you or someone you trust recently… –add a new user account? –add a user to the Administrators group? –use a weak password? –install some new software? –use a floppy, USB drive or CD/DVD? –forget to: –patch Windows? –update antivirus? –turn on firewall?

8. Arm Yourself/Raise Alarm/Hide –Light the way –Be familiar with some (XP) tools to: determine baseline (MS Baseline Security Analyzer) detect problems (spyware/antivirus scan)‏ show user accounts (net user)‏ show privileges (net localgroup administrators)‏ show or kill processes (tasklist, taskkill; sysinternals procexp)‏ manage services (sc; services.msc)‏ show scheduled tasks (schtasks) list files by date of last modification (dir /od)‏ –Search for suspicious files and services on web –Should use external tools, like www.e-fense.com/helixwww.e-fense.com/helix

9. Locate Source/Follow Evidence Where's the problem? Look in: c:\windows; c:\windows\system32 (dir /od)c:\windows registry (regedit) startup locations (sysinternals autoruns) network ports (netstat –anob; sysinternals tcpview) hidden files (dir /ah) recycle bin (dir /a) chronology of events in logs (eventvwr) Look for current activity as well as past

10. Observe/Confirm Suspicions Gather information –Watch processes (sysinternals procexp) look at strings in executable file look at strings in process memory –Watch files (sysinternals filemon) look at strings in executable files (sysinternals strings) –Watch network (sysinternals tcpview) look for listening ports look for foreign connections

11. Disarm/Contain/Remove Immediately close means of entry unplug network disable wireless remove all removable media check for hardware keystroke loggers Run full malware scan and remove (e.g., police) Search for observed entities on web –to find ways to remove manually, and remove Remove ways to re-infect at startup (e.g., unlocked) Restart after all of the above to kill all remaining

12. Block/Monitor Means of Entry Major entry points/vectors to block/monitor –users allowed on the system audit successful and failed logins –CP/Adm tools/Local Sec Set/Local Policies/Audit Policy monitor logs (eventvwr) do not provide administrator privileges to users disable accounts when not in use –network disable network when not in use (netsh interface set interface) firewall, with logging of attempts (netsh firewall) –removable media turn off autoruns of inserted media on-demand antivirus scan on read; review antivirus logs

13. What Was Removed, Damaged, Left Behind Make list of what you have before incident –have to keep up to date if upgrading OS –backups, file integrity tools (osiris) If possible, make offline copy of disk first and use it Compare current to saved list/backups Search web for suspicious files Ensure up to date antivirus (AV) signatures –Scan disk for viruses, possibly with a few AVs If root kit installed, might have to: –boot Helix/SysResCD/FIRE CD to mount read-only and inspect Windows drive

14. Replace, Clean/Fix, Remove Safest thing to do: format and re-install OS –disconnect from net first –use another computer to download patches apply patches –re-establish any blocks for entry done before Sometimes can replace files, remove services (sc), delete files, etc. –safest is to do it from Linux CD with Windows disk in read/write mode Don’t forget applications may allow re-infecting –might need to uninstall and re-install from original media

15. Conclusion Being more secure and staying that way is not simple Know your system Establish a baseline and keep it updated Use a script to investigate suspicious incidents Don’t blame your dog for not warning you

16. Credits –“Hotel California”: Eagles –Windows XP Start: Microsoft –“Stranger in My House”: Ronnie Milsap –“Who Are You?”: The Who –“Every Breath You Take”: The Police –“We’re All Alone”: Boz Scaggs –“Brahms Lullaby”: S. Stefano Protomartire