'RE: [Dshield] Microsoft on Rootkits and New Web Scam(s)... [signed]'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dshield
Subject:    RE: [Dshield] Microsoft on Rootkits and New Web Scam(s)... [signed]
From:       "Brian P. Donohue [c]" <zbd () u ! washington ! edu>
Date:       2005-02-22 5:21:34
Message-ID: 200502220521.j1M5Lh3U028718 () smtp ! washington ! edu
[Download RAW message or body]

The most valuable tools I use are from:

www.sysinternals.com

Autoruns
Autorunsc (the command line version)

Tcpview
Tvpvcon (the command line version)

Process Explorer

Nessus scans - there's a plugin for Hacker Defender

Fport from foundstone.com

IDS / IPS

You really need to know your systems - you have to develop the skill of
being able to know what should be running on the system.

Autoruns shows you what is going on when the system starts up.  Windows
rootkits can't compromise the kernel completely.  They have to leave a
service or something in the startup path.  I've seen what's in services or
the startup path be very cleverly named - you have to look very carefully.
One thing we've seen a lot of is an executable named WinWbem.exe.  There are
others.  For example, when spoolsv.exe starts from somewhere other than
%SYSTEM32%, you've got a problem.  If a process is starting from a Temp
directory or a deeply nested folder, it's pretty certain that you've got a
problem.

Tcpview will show you what executables are listening on ports.  If the
process is hidden, Tcpview will show it as an unnamed process - in my
experience the presence of such processes is sure and certain evidence that
Hacker Defender or a cousin is running.  It'll also show ports running that
shouldn't be.  Hackers are getting better at figuring out that using ports
below 2000 are a good way to hide their processes, so you have to look
carefully at everything.

Process Explorer shows everything about a running process - a super-Task
Manager.  You can use it to determine where a process runs, what registry
keys it uses, what .dll's, etc.

Nessus scans have, to date, been infallible for us.  Hackers can't get
around having to use a port to communicate.  Many times, a scan will
identify rogue ftp servers, Wolff backdoors, Dameware, etc., that you should
know shouldn't be there.

Fport is an alternative command-line tool - works like tcpvcon.

We use psexec from sysinternals to run these utilities on remote boxes.

In addition, IDS / IPS tells us when a box starts acting up on the network.

I work at a .edu - 50,000+ unfirewalled hosts on public IP's.  My team has
seen almost 1,000 hacked boxes in the last year.

Finally, we use Encase for forensic examination of hacks, so we can
understand how they work.  Forensic examinations require a great deal of
skill and training.

-----Original Message-----
From: list-bounces@lists.dshield.org [mailto:list-bounces@lists.dshield.org]
On Behalf Of Paul Marsh
Sent: Monday, February 21, 2005 11:45
To: General DShield Discussion List
Subject: RE: [Dshield] Microsoft on Rootkits and New Web Scam(s)...

I'd like to toss out a suggestion.  Would it be possible for all those with
detailed experience with rootkits on all platforms to post a few links
pointing to best tools to identify and recover rooted system.  I personally
have only played around with a few tools on test machines.  I hope to never
have to use these tools but if and when I do I want the correct and best
tools.

Thanx, Paul
-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
http://www.sans.org/orlando05

_______________________________________________
send all posts to list@lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

-- 
---------------------[ Ciphire Signature ]----------------------
From: zbd@u.washington.edu signed email body (2824 characters)
Date: on 22 February 2005 at 05:21:42 UTC
To:   list@lists.dshield.org
----------------------------------------------------------------
: Ciphire has secured this email against identity theft.
: Free download at www.ciphire.com. The garbled lines
: below are the sender's verifiable digital signature.
----------------------------------------------------------------
00fAAAAAEAAABmwRpCCAsAABMCAAIAAgACACCzQCMkhJYzZqf73rI7Tj+5LWVxPA
gz+yu+IgaGKFQflQEADcV7iKod4Dd2dwL6x/ED+I64YqWI7Wen6jr3Q9slmCZvGY
LqG+ZXoxywNvzWDd2otXwsJ+ZM8gShqwEjbipzzw==
------------------[ End Ciphire Signed Message ]----------------

-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
http://www.sans.org/orlando05

_______________________________________________
send all posts to list@lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
[prev in list] [next in list] [prev in thread] [next in thread] 