Embed Size (px)
Citation preview
So Your Computer is Infected,Now What?
STC/STS Tech Training3:00-4:00, Tuesday, August 18, 2009
Brian Allen [email protected]
Network Security Analyst,Washington University in St. Louis
http://nso.wustl.edu/presentations/
Copyright Brian Allen 2009. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying
is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
NSS
NSO
Business School
Law School
Arts & Sciences
Medical School
Engineering School
Internets
Decentralized Campus NetworkNSS = Network Services and SupportNSO = Network Security Office
Library
Social Work
Art & Architecture
IS&T
Tools
• SecCheck• Symantec Endpoint AV• Ultimate Boot CD for Windows• Knoppix Boot CD• TrendMicro Online Scan• Sysinternal Tools• SpyBot Search and Destroy-Advanced Mode• Clean It By Hand
We Interrupt This NSO Presentation For An Important
Security Announcement
Knoppix
• Self contained and complete OS• Will boot even if no hard drive• Linux (command line) with a nice gui• Knoppix has been around since 2000• Popular in the security community• There are other Linux Live CDs• ClamAV or F-Prot are free AV options
Sysinternals Tools I like
• Process Explorer• Autoruns• Process Monitor• PSTools• TCPView• RootkitRevealer
Art of Cleaning It By Hand
• Favorite malware hideouts:c:\windows\system32, c:\windows\system, c:\windows\system32\drivers
• Find create and modify timestamps• Start from that date look for more badness• Look at the binary file attributes • Rename or move each file as you go• Purge every Temp directory• Reboot, repeat
Current Threats
• Torpig, • Mebroot - Sinowal• Conficker worm• Cutwail• Rustock• Grum virus• BlackEnergy - HTTP-based botnet used
primarily for DDoS attacks
Security Websites
• ThreatExpert Sandbox• Virus Total• Sunbelt CWSandbox• Anubis Sandbox• Norman Sandbox
Norman Email• message.htm-MALWARE : INFECTED with W32/Malware (Signature: MyDoom)
• [ DetectionInfo ]• * Filename: C:\analyzer\scan\message.htm-MALWARE.• * Signature name: MyDoom.L@mm.• * Executable type: Application.• • [ Changes to filesystem ]• * Creates file C:\WINDOWS\TEMP\zincite.log.• • [ Changes to registry ]• * Accesses Registry key "HKLM\Software\Microsoft\Daemon".• • [ Network services ]• * Looks for an Internet connection.• • [ Process/window information ]• * Creates process "services.exe"".• * Will automatically restart after boot (I'll be back...).
Case Study
• Dear user,
We have received reports that your account has been used to send a large amount of spam messages during the last week. We suspect that your computer had been infected by a recent virus and now contains a hidden proxy server.
Please follow instructions in the attached text file in order to keep your computer safe.
Best wishes, The WUSTL.EDU team.
NO! DON’T CLICK ON IT!
So Your Computer Is Infected, Now What?
Clean vs Rebuild? Pros/Cons
• Discussion
Books
• Cryptonomicon – fiction• Cuckoo's egg - nonfiction• Safaribooksonline.com – free for wustl.edu
