1 / 22

Using Windows to Defend Windows

Using Windows to Defend Windows. Scott Wilson Levi Arnold Oklahoma State University. Malware – first steps in fighting. Recognize that something's wrong Learn to run a scan/removal tool, like SpyBot , SpywareDoctor , MBAM or another.

shelley
Télécharger la présentation

Using Windows to Defend Windows

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Windows to Defend Windows Scott Wilson Levi Arnold Oklahoma State University

  2. Malware – first steps in fighting • Recognize that something's wrong • Learn to run a scan/removal tool, like SpyBot, SpywareDoctor, MBAM or another. • Very excited, willing to suggest a scan as a solution to every problem they see.

  3. Malware – next steps in fighting • Learn about layered defenses and the difference between antivirus and anti-spyware scanners. • Learn how to better use scanners and removal tools; know when MBAM will work better than SpyBot, know what false positives are likely to be thrown by scanners.

  4. Begin to get past scanning • Learn some more in-depth software tools, like the Sysinternals Utilities. • Begin to get an idea how malware works.

  5. Going past scanning • Dealing with a 4-H agent’s computer • Ran SpyBot and some other scanners, but the machine kept re-infecting itself after rebooting.

  6. Recovery Console • In-law’s computer • Vundo and TDSS, hybridized • Vundofix didn’t work, neither did Avenger, neither did Combofix, neither did …

  7. Recovery Console • RC command “disable” allows disabling services/device drivers • disable {[service_name]|[device_driver_ name]} • RC also allows viewing of hidden files • Other boot disks can give similar options, although they can be difficult to configure.

  8. Hosts files • County employee who loved StarWare, even though it was making her machine crash constantly.

  9. Hosts files • Ad-blocking host files from Mike Skallas (www.everythingisnt.com) and MVPS (www.mvps.org)also block many malware sites.

  10. Hosts files • Host files can also be used positively, to provide a constant reference for a machine.

  11. Executable redirecting • Open regedit • Browse to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options • Create a new key with the name of the process you want to block; e.g., calc.exe

  12. Executable redirecting • Create a new string value under that key. Name it Debugger. • Modify the value data to be: Rundll32.Exe url.Dll,FileProtocolHandler http://www.google.com/search?q=

  13. Executable redirecting [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe] "Debugger"="Rundll32.Exe url.Dll,FileProtocolHandler http://www.google.com/search?q="

  14. Executable redirecting • Perhaps that wasn’t a good example.

  15. Executable redirecting [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiSpyware2008.exe] "Debugger"="cmd.exe /c echo %time% %date% >> c:\\ExecBlocked.log"

  16. Executable redirecting • It’s possible to call any type of executable file from the redirect, so using a batch file to script multiple actions upon malware executing is possible.

  17. Executable redirecting • Up side: possible to immunize the system against annoying things like AV2008. • Possible to script events to happen to alert your IT staff when a computer gets infected.

  18. Executable redirecting • Down side: have to know the name of the executable or process. It’s not practical to immunize against those malware objects that generate a random name – although you can stop them executing while working on a system.

  19. Going forward • Learn about malware. Learn how it works, how it spreads, what the different types do. • Learn some programming; it will help you to have some idea of how malware works.

  20. Learning Resources - Blogs • Mark Russinovich: http://blogs.technet.com/markrussinovich • TrendMicro: http://blog.trendmicro.com/ • F-Secure: http://www.f-secure.com/weblog/ • Viruslist: http://www.viruslist.com/en/weblog • Microsoft: http://blogs.technet.com/mmpc/

  21. Learning Resources - Fora • Geek University : Forum-based training for malware fighters. http://www.geekstogo.com/forum/index.php?autocom=custom&page=GeekU • Bleeping Computer: Has both removal guides and excellent fora. http://www.bleepingcomputer.com/ • PC Hell: similar to Bleeping Computer. http://www.pchell.com/

  22. Learning Resources - Other • Email lists. Vince Verbeke has a good one – send him an email to subscribe. • Books: Malware: Fighting Malicious Code by Ed Skoudis; Hacking Exposed: Malware and Rootkits by Davis, Bodmerand Lord (September 16th)

More Related