When Your Dog Can’t Help You: Malware in the Home

1. Stephen Rondeau Institute of Technology 7 May 2008 When Your Dog Can’t Help You:Malware in the Home

2. Home Scenario • Effect 1 • Effect 2 • Effect 3 • Effect 4 • Effect 5 • Effect 6 • Effect 7

3. In Dog We Trust • Dogs: • are better than us, in these senses: • smell, seeing (in dark and movement), hearing • can detect differences quickly • may bark to alert us of differences • can scare, chase away, or harm other animals • are great as home monitors and defenders

4. Schank’s For the Memory • We learn/follow scripts in various situations • We and others play roles in script • Scripts are stereotyped sequence of actions • We summon a script for a given situation • Leads to expectations of things to occur • Roger Schank & Robert Abelson, Scripts, Plans, Goals, and Understanding: An Inquiry Into Human Knowledge Structures, Lawrence Erlbaum, 1977

5. Scripting the Night: Fantastic! • Determine If Something Is “Wrong” • Form Idea of What May Have Happened • Arm Yourself/Prepare to Raise Alarm/Hide • Locate the Source/Follow the Evidence • Observe/Confirm Suspicions • Disarm/Contain, Scare Away or Remove the Intruder • Block/Monitor Means of Entry • Determine What Was Removed, Damaged, Left Behind • Replace, Clean/Fix, Remove

6. Is Something “Wrong”? • Implies knowing what is “right” • know your system in terms of: • authorized users • valid services and applications, especially those using network • how much time some programs take to run • how long it normally takes to download something • what files you have or disk space you use • in short, look for anomalies in: • users, running programs, performance, network traffic, and file space

7. What May Have Happened • Did you or someone you trust recently… • add a new user account? • add a user to the Administrators group? • use a weak password? • install some new software? • use a floppy, USB drive or CD/DVD? • forget to: • patch Windows? • update antivirus? • turn on firewall?

8. Arm Yourself/Raise Alarm/Hide • Light the way • Be familiar with some (XP) tools to: • determine baseline (MS Baseline Security Analyzer) • detect problems (spyware/antivirus scan)‏ • show user accounts (net user)‏ • show privileges (net localgroup administrators)‏ • show or kill processes (tasklist, taskkill; sysinternals procexp)‏ • manage services (sc; services.msc)‏ • show scheduled tasks (schtasks) • list files by date of last modification (dir /od)‏ • Search for suspicious files and services on web • Should use external tools, like www.e-fense.com/helix

9. Locate Source/Follow Evidence • Where's the problem? Look in: • c:\windows; c:\windows\system32 (dir /od) • registry (regedit) • startup locations (sysinternals autoruns) • network ports (netstat –anob; sysinternals tcpview) • hidden files (dir /ah) • recycle bin (dir /a) • chronology of events in logs (eventvwr) • Look for current activity as well as past

10. Observe/Confirm Suspicions • Gather information • Watch processes (sysinternals procexp) • look at strings in executable file • look at strings in process memory • Watch files (sysinternals filemon) • look at strings in executable files (sysinternals strings) • Watch network (sysinternals tcpview) • look for listening ports • look for foreign connections

11. Disarm/Contain/Remove • Immediately close means of entry • unplug network • disable wireless • remove all removable media • check for hardware keystroke loggers • Run full malware scan and remove (e.g., police) • Search for observed entities on web • to find ways to remove manually, and remove • Remove ways to re-infect at startup (e.g., unlocked) • Restart after all of the above to kill all remaining

12. Block/Monitor Means of Entry • Major entry points/vectors to block/monitor • users allowed on the system • audit successful and failed logins • CP/Adm tools/Local Sec Set/Local Policies/Audit Policy • monitor logs (eventvwr) • do not provide administrator privileges to users • disable accounts when not in use • network • disable network when not in use (netsh interface set interface) • firewall, with logging of attempts (netsh firewall) • removable media • turn off autoruns of inserted media • on-demand antivirus scan on read; review antivirus logs

13. What Was Removed,Damaged, Left Behind • Make list of what you have before incident • have to keep up to date if upgrading OS • backups, file integrity tools (osiris) • If possible, make offline copy of disk first and use it • Compare current to saved list/backups • Search web for suspicious files • Ensure up to date antivirus (AV) signatures • Scan disk for viruses, possibly with a few AVs • If root kit installed, might have to: • boot Helix/SysResCD/FIRE CD to mount read-only and inspect Windows drive

14. Replace, Clean/Fix, Remove • Safest thing to do: format and re-install OS • disconnect from net first • use another computer to download patches • apply patches • re-establish any blocks for entry done before • Sometimes can replace files, remove services (sc), delete files, etc. • safest is to do it from Linux CD with Windows disk in read/write mode • Don’t forget applications may allow re-infecting • might need to uninstall and re-install from original media

15. Conclusion • Being more secure and staying that way is not simple • Know your system • Establish a baseline and keep it updated • Use a script to investigate suspicious incidents • Don’t blame your dog for not warning you

16. Credits • “Hotel California”: Eagles • Windows XP Start: Microsoft • “Stranger in My House”: Ronnie Milsap • “Who Are You?”: The Who • “Every Breath You Take”: The Police • “We’re All Alone”: Boz Scaggs • “Brahms Lullaby”: S. Stefano Protomartire