So your computer is infected: Now what?
Download
1 / 43

Outline - PowerPoint PPT Presentation


  • 95 Views
  • Uploaded on

So your computer is infected: Now what? Brian Allen (Network Security Analyst) Tyler Merchant (Security lackey) Network Security Office (nso.wustl.edu) October 2008. Outline. Infections 1) r57 shell 2) rogue software What Can We Do? 1) Seccheck 2) Virus total 3) Sandbox Prevention

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Outline' - adelle


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

So your computer is infected: Now what?Brian Allen (Network Security Analyst)Tyler Merchant (Security lackey)Network Security Office (nso.wustl.edu)October 2008


Outline
Outline

  • Infections

    • 1) r57 shell

    • 2) rogue software

  • What Can We Do?

    • 1) Seccheck

    • 2) Virus total

    • 3) Sandbox

  • Prevention

    • 1) Personal Software Inspector

    • 2) Network Software Inspector


Basic steps for an infection
Basic Steps for an Infection

  • Save all important data

  • Best: Wipe the machine-do a fresh install

  • If this is not possible- then try to clean it

  • Change all passwords

  • Install latest anti-virus software

  • Apply all patches

  • Turn on the Firewall

  • Let the NSO know so we can search for other compromised machines


Advanced steps for an infection
Advanced Steps for an Infection

  • SecCheck

  • Virus Total

  • Malware Analysis:

  • Norman Sandbox

  • Anubis

  • CWSandbox

  • Threat Expert


Different types of infections
Different Types of Infections

  • Virus – Relies on users to spread: email attachments, links in an email

  • Worm – can spread on its own

  • Trojan – A malicious file that appears to be legitimate

  • Bot – A worm that phones home to a Command & Controller so the attacker can give it instructions


What do most infections do
What Do Most Infections Do?

  • Send Spam

  • Scan the network

  • Attack other machines – called a DDOS (Distributed Denial of Service) attack

  • Run a distribution server for malicious files: web server or ftp server

  • Set up a Phishing site

  • Act as a proxy for other malicious traffic

  • Download spyware and adware to the machine

  • Run a keylogger


Guidelines for attempting to clean a machine
Guidelines for Attempting to Clean a Machine

  • Install an AV tool like Symantec Anti-Virus Corporate Edition with the latest signatures and run a full scan

  • Other techniques/tools:

    • Seccheck (Windows)

    • netstat –anb (Windows command line)

    • lsof (Linux)

    • Ultimate Boot CD for Windows (UBCD)

    • Sysinternals Suite (Windows GUI)


Spam proxys and seccheck
Spam Proxys and SecCheck

  • Lawrence Baldwin is the author of seccheck and owner of mynetwatchman.com

  • He was directly involved in taking down a spam botnet which was responsible for sending out 5-10% of the mail on the Internet =~ about 2-10 billion spam messages per day


Seccheck continued
SecCheck continued

  • Windows forensic tool

  • Aids in the detection and removal of malicious software

  • Passive

  • Runs in about three-six minutes

  • Send me the URL for the report and I can help analyze it


Stc josh leibner after running seccheck
STC Josh Leibner after running SecCheck

“I'm pretty baffled as to why AV, HijackThis, and AdAware didn't catch any of this. I'll set up another appointment with the student so that I can more thoroughly clean the computer.”


Actual reports for washu ips
Actual Reports for WashU IPs

  • http://sc.mynetwatchman.com/seccheck/SubmissionStatus.jsp?submissionID=190837b316eedbd6aab02db074f67a77

  • http://sc.mynetwatchman.com/seccheck/SubmissionStatus.jsp?submissionID=76a554a590f845d26fc06274d5a847c8

  • http://sc.mynetwatchman.com/seccheck/SubmissionStatus.jsp?submissionID=4d7ab225b5f447f6346db1f4733bbac6

  • http://sc.mynetwatchman.com/seccheck/SubmissionStatus.jsp?submissionID=70c2f42b966fe39baf6478595d92403b

  • http://sc.mynetwatchman.com/seccheck/SubmissionStatus.jsp?submissionID=7bc71e08adf1cf344d1689ac7a0d08a9


Use a tool to check for third party software vulnerabilities like secunia s psi or nsi

Use A Tool to Check for Third Party Software Vulnerabilities Like Secunia’s PSI or NSI

Prevention TOols


Useful links
Useful Links: Like Secunia’s PSI or NSI

  • http://www.virustotal.com/

  • http://www.norman.com/microsites/nsic/

  • http://anubis.iseclab.org/index.php

  • http://www.cwsandbox.org/

  • http://www.mynetwatchman.com/tools/sc/

  • http://technet.microsoft.com/en-us/sysinternals/default.aspx

  • http://www.ubcd4win.com/


Contact information and more useful links
Contact Information And Like Secunia’s PSI or NSIMore Useful Links

  • http://nso.wustl.edu – NSO website

  • If you have a computer security incident email the NSO at [email protected] or directly to me at [email protected]

  • http://www.wustl.edu/policies/compolcy.html - WashU Computer Policy

  • www.mynetwatchman.com/tools/sc/ - Seccheck

  • www.ubcd4win.com – Ultimate Boot CD for Windows

  • www.antiphishing.org – Phishing Information

  • mozilla.com – Download Firefox

  • http://www.microsoft.com/athome/security/spyware/software/default.mspx - Microsoft Defender


Watch out for malicious links and attachments
Watch Out For Malicious Like Secunia’s PSI or NSIlinks and attachments

  • Links to phishing and hacking sites, as well as malicious files, can arrive by email, instant message, web page, etc.

  • Know your source!

  • Verify before clicking.

  • Don’t open anything unexpected.

  • ~100 users were removed from the network for days because of a bot infection transmitted through an AIM link


Use it to identify phishing malicious links and to protect personal information

Use it to identify: Like Secunia’s PSI or NSI

Phishing

Malicious links

And to protect personal information!

Most Important Security Tool: Your Brain”Check out the big brain on Brett!”


ad