anti-virus

Jun 24 2009   6:24PM GMT

Did you see this? - SYSTEM CLEANING: GETTING RID OF MALWARE FROM INFECTED PCS

Posted by: Troy Tate
malware, malicious software, Security, information security, integrity, availability, trojan, bot, botnet, registry, antivirus, anti-virus, av

I don’t know about you but I do get frustrated when a white paper is advertised and it has little or no meat to it. Most times it seems like the whitepapers offered by vendors today are light marketing fluff with little substance to help IT folks do their job better.

I came across a whitepaper/research document today that will help you do your job better if you manage systems that may become affected by malware. This means anyone that uses a computer could get some use from this document and website.

Check it out today. The whitepaper does not require any registration (another pet peeve of mine - check out bugmenot for Firefox if registrations bug you too!). The whitepaper is titled SYSTEM CLEANING: GETTING
RID OF MALWARE FROM INFECTED PCS.

Thanks for reading and let’s continue to be good network citizens.

Apr 2 2009   8:53PM GMT

5 Things we learned from the Conficker non-event

Posted by: Troy Tate
Conficker, patching, Microsoft, patches, lessons learned, malware, network, predicting future, Security, information security, endpoint protection, endpoint, antivirus, anti-virus

1. The media can take a story about Information Technology and say nothing of substance. What did the 60 Minutes story do for the IT industry? It made Symantec look like they could not effectively address security risks and might even create a sense of false security. I wonder how the CBS IT staff felt when it was revealed that some computers had been compromised. Who was this April Fools joke for? Working in IT at times makes you feel like Rodney Dangerfield - “I don’t get no respect”

Continued »

Mar 31 2009   3:32PM GMT

Simple Conficker Scanner tool released - find the infected machines

Posted by: Troy Tate
honeynet, diagnostic tools, Conficker, ms08-067, antivirus, patches, anti-virus, detection, scanning, vulnerability scanning, vulnerability

A Simple Conficker Scanner (SCS) tool has been released by members of the Honeynet Project. This tool can be run under linux or Windows. It runs a specially crafted RPC query against a host or range of IP addresses. The tool will tell if systems are clean or potentially infected. I am running this tool against hosts on my network and I found a Windows 2000 server apparently infected by Conficker. I am in the process of clean-up on that host. It looks like a couple of things contributed to the infection on this computer:

1. Out of date anti-virus. The antivirus signatures had not been updated since January 2008.

2. Microsoft patches not applied.

Folks, the advice about maintaining up-to-date AV and applying patches is good advice. Heed the warnings and save yourself some troubles of clean-up. I will be having a discussion with my operations team about this situation and make it clear that we should have been prepared for this and this situation should not have arisen.

I am also following the advice from McAfee on Combating the Conficker worm

For more details on how the Conficker worm actually works, follow the links in my blog

The Conficker Analysis - are you ready for April 1?

Thanks for reading. Let’s continue to be good network citizens.

Feb 11 2009   8:08PM GMT

Tracking down that user/computer that locks AD accounts

Posted by: Troy Tate
Data security, administration, analysis, antivirus, anti-virus, diagnostics, howto, information security, malicious activity, malware, Microsoft, Microsoft Windows, Active Directory, AD, network security, Password, policy enforcement, reporting, risk, risks, scanning, search, Security, security notification, tools, troubleshooting, Windows, password management, account management

With an environment spanning 18+ sites and more than 3000 computers around the globe, you could understand how challenging it would be to track down what device/user might be locking user accounts. There are tools out there that you can pay for that can help do this. However, Microsoft has some free tools that with a little testing and use will permit you to quickly track down where the account is being locked and address the situation.

We had a situation recently where malicious software got onto a couple of machines and attempted to use the Administrator account to login. We have account lockout on our Windows 2003 AD domain, so after the appropriate number of invalid tries the Administrator account was locked out in the domain. This is because the machines were members of the domain and the malware did not distinguish the local administrator account from the domain administrator when attempting to elevate authority. Note that we use least user authority in our environment so the malware was not able to spread beyond these two machines. We suspect the machines became infected due to out of date antivirus signatures.

Unfortunately, the antivirus we use did not alert us to the situation. The way we were alerted was by our Microsoft Systems Center Operations Manager (SCOM) implementation. It notified the SCOM admin that the domain Administrator account was locked. The operations team was then tasked with tracking down what or who was locking this account. This is where the Microsoft Account Lockout and Management Tools came in use and helped isolate the cause. Continued »

Jan 21 2009   5:10PM GMT

Microsoft guidelines for Turning off Windows AutoRun do NOT work properly!

Posted by: Troy Tate
anti-virus, antivirus, Security, information security, CERT, Windows, trojan, digital picture frame, risks, security notification

One of the information security lists I subscribe to is the US-CERT Technical Cyber Security Alerts. US-CERT is the United States Computer Emergency Readiness Team. If you have information security responsibilities, I highly recommend that you visit their website and register for their mailing lists and subscribe to the RSS feeds to get the latest information on information security issues from a trusted US Government source.

In case you have not seen or heard the latest US-CERT Technical Cyber Security Alert reads as shown below. I don’t know about you but the information in this bulletin really concerns me. I know personally how autorun.inf can affect a computer. I recently received a digital picture frame (DPF) as a gift. It is a very nice one in that it can handle several different types of media and is even an MP3 player. When I connected it to my computer the first time, Windows went through the “new device found” routine. Windows found the device as a standard removable storage device. That was no big deal. However, the DPF has 128MB of internal storage and that storage held an autorun.inf file that referenced a trojan executable! Fortunately my anti-virus detected it and deleted the file before it could do damage. How many consumers do not have antivirus? How would the trojan affected their systems? That is a substantial risk in today’s technology environment!

I would highly recommend taking the steps outlined below to ensure that autorun.inf does not take down a critical system within your organization.

Thanks for reading & let’s continue to be good network citizens.

================================================

National Cyber Alert System

Technical Cyber Security Alert TA09-020A

Microsoft Windows Does Not Disable AutoRun Properly

Original release date: January 20, 2009

Last revised: –

Source: US-CERT

Systems Affected

* Microsoft Windows

Overview

Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft’s guidelines for disabling AutoRun are not fully effective, which could be considered a  vulnerability.

I. Description

Microsoft Windows includes an AutoRun feature, which can automatically run code when removable devices are connected to the computer. AutoRun (and the closely related AutoPlay) can unexpectedly cause arbitrary code execution in the following situations:

* A removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or Firewire device, or mapping a network drive. This connection can result in code execution without any additional user interaction.

* A user clicks the drive icon for a removable device in Windows Explorer. Rather than exploring the drive’s contents, this action can cause code execution.

* The user selects an option from the AutoPlay dialog that is displayed when a removable device is connected. Malicious software, such as W32.Downadup, is using AutoRun to spread. Disabling AutoRun, as specified in the CERT/CC Vulnerability Analysis blog, is an effective way of helping to prevent the spread of malicious code.

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables

Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

II. Impact

By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.

III. Solution

Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the following registry value:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

@=”@SYS:DoesNotExist”

To import this value, perform the following steps:

* Copy the text

* Paste the text into Windows Notepad

* Save the file as autorun.reg

* Navigate to the file location

* Double-click the file to import it into the Windows registry

Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin Atac for providing the workaround.

IV. References

* The Dangers of Windows AutoRun -

<http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html>

* US-CERT Vulnerability Note VU#889747 -

<http://www.kb.cert.org/vuls/id/889747>

* Nick Brown’s blog: Memory stick worms -

<http://nick.brown.free.fr/blog/2007/10/memory-stick-worms>

* TR08-004 Disabling Autorun -

<http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx>

* How to Enable or Disable Automatically Running CD-ROMs -

<http://support.microsoft.com/kb/155217>

* NoDriveTypeAutoRun -

<http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx>

* Autorun.inf Entries -

<http://msdn.microsoft.com/en-us/library/bb776823(VS.85).aspx>

* W32.Downadup -

<http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99>

* MS08-067 Worm, Downadup/Conflicker -

<http://www.f-secure.com/weblog/archives/00001576.html>

* Social Engineering Autoplay and Windows 7 -

<http://www.f-secure.com/weblog/archives/00001586.html>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>

____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with “TA09-020A Feedback VU#889747″ in the subject.

____________________________________________________________________

For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

____________________________________________________________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>

____________________________________________________________________

Revision History

January 20, 2009: Initial release

================================================

Dec 10 2008   1:19PM GMT

The larger world of free technical support - Craigslist computer forum

Posted by: Troy Tate
Networking, tools, documentation, patching, web, IT education, malware, website, anti-virus, troubleshooting, howto, online identity, risk, awareness, education, professional

I recently came across the computer forums on Craigslist. I had heard of Craigslist previously but was not aware of the significant scope of what it offers besides classified ads. I’m not suggesting that folks leave ITKE to the Craigslist computer forums for support - far from that.

I have been watching some of the exchanges between posters on the forums. It amazes me what people will post when the environment provides seeming anonymity. ITKE does offer this also, but the moderators do a great job of keeping the Trolls away. The Craigslist posters do not behave in the same professional manner that ITKE users do. There are many writers on Craigslist that belittle computer user skills for those asking “noob” questions. There are also those who attempt to discredit or otherwise tear down answers from those who have real computer skills and knowledge.

For example, there was a recent posting thread reminding people that the Microsoft Tuesday patches had been released. One feature that Craigslist offers similar to ITKE is the ability to rate postings. Someone rated the patch Tuesday reminder as a “thumbs down” posting. This is really unprofessional behavior. The thread went on to describe that exploits were sure to follow the patches since hackers use the patches to reverse-engineer the vulnerability. Someone asked if the exploits could already exist. Of course they might, but the exploits would become more likely after the patches are released.

The thread also described how the patches are to protect users from themselves. Most users are tempted into doing something (downloading software, answering yes to some popup window, visiting that interesting website) that causes malicious software to do something on their system that is totally unintended by the users… so the patch is there to fix some things that might be otherwise used by these malware writers. Really patching is the only preventive mechanism. Antivirus is a detective method that detects when something is trying to do something it shouldn’t. Patching won’t let those things happen - unless the user makes a poor judgement call… we all do! I have even opened an infected PDF file thinking it was a legitimate document. Fortunately, AV was able to clean up after my mistake.

For some reason, some troll thought they would say that these postings were by a “know-it-all n00b”. It seems like this Craigslist forum user may be one of those miscreants who want people to remain ignorant and cannot handle someone else teaching others about safe computing and answering other users’ questions.

I would like to encourage ITKE readers and IT professionals to help make IT support forums professional and user-friendly. If you have time, watch the Craigslist computer forums, offer support to the users  who don’t have the same professional support available we have on ITKE. Make the trolls look even worse by treating the users with some respect. By sharing our knowledge and skills, we can help users use the computer in a productive manner. Thanks for reading this and hope you join me in sharing knowledge either here on ITKE and/or Craigslist.

Dec 3 2008   3:50PM GMT

Holiday greeting cards, holiday shopping and computer security awareness

Posted by: Troy Tate
administration, Firewalls, Security, Microsoft Windows, Browsers, IT education, spam, antivirus, homeland security, Data security, malware, SSL, phishing, Firefox, Microsoft, anti-virus, online identity, risk, awareness, vulnerability, education, data loss

I just sent this email reminder to all users in my organization. I would recommend you do something similar if you are not already ensuring users are aware of these issues. Feel free to use my content and add your own.

 It is that time of year again when folks send electronic holiday greeting cards to one another. Some of the greetings may also be games that bear holiday messages. It is also a time when malicious software spreads using these same types of messages and software. You should also be cautious when doing any holiday shopping online or at stores. It is important that you and those you communicate with understand these risks. Your finances and identity are always at risk in today’s technology environment, but you may be less attentive during the holiday season. The following 10 tips are meant to remind you of some important security precautions.

 

1.    Do NOT use your company email address for personal holiday greetings or shopping activities. Merchants may sell your email address to other non-reputable sources and this puts your company identity at risk.

 

2.    If you receive personal holiday greetings or “cute” games at your company email address, ask the sender to not send those to you at work. Use a personal email account for those communications.

 

3.    If you do receive holiday greetings or games at your personal email address, check with the sender before opening to be sure they sent the message. Spammers and malicious software writers can easily deceive you through social engineering. They will do everything possible to get you to open their message and potentially damage your computer and/or harvest your email address as a valid address.

 

4.    Don’t trust everything you see online. Finding something on the internet does not guarantee that it is true. Anyone can publish information online, so before accepting a statement as fact or taking action, verify that the source is reliable.

 

5.    If it looks too good to be true, it probably is. You have probably seen many emails promising fantastic rewards or monetary gifts. However, regardless of what the email claims, there are not any wealthy strangers desperate to send you money. Beware of grand promises—they are most likely spam, hoaxes, or phishing schemes. Also be wary of pop-up windows and advertisements for free downloadable software—they may be disguising spyware. Close the pop-up windows by clicking the X in the top right corner. Do not click the YES, NO, or CANCEL buttons in the window. It may cause unwanted computer issues if you do. Do not trust what you see in these pop-up windows. Contact IT support if you have any questions or issues.

 

6.    Avoid phishing schemes. Banks and other institutions will not actively solicit personal information by email. When you click a link in an email asking for this type of information, your choice may risk your finances and personal identity. The link may take you to a website hosted by someone with malicious intentions. If you enter your personal information on the website, you have just had your identity taken by a social engineering attack and may have incurred a financial loss.

 

7.    If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org/phishing_archive.html).

 

8.    If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account. Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).

 

9.    Do not participate in forwarding chain letters or perpetuating hoaxes or urban legends. Hoaxes attempt to trick or defraud users. A hoax could be malicious, instructing users to delete a file necessary to the operating system by claiming it is a virus. It could also be a scam that convinces users to send money or personal information. Phishing attacks could fall into this category. Urban legends are designed to be redistributed and usually warn users of a threat or claim to be notifying them of important or urgent information. Another common form are the emails that promise users monetary rewards for forwarding the message or suggest that they are signing something that will be submitted to a particular group. Urban legends usually have no negative effect aside from wasted network bandwidth, server resources and time. If you want to check the validity of an email, there are some web sites that provide information about hoaxes and urban legends: Urban Legends and Folklore - http://urbanlegends.about.com/;  Urban Legends Reference Pages - http://www.snopes.com/; Hoaxbusters - http://hoaxbusters.ciac.org/; TruthOrFiction.com - http://www.truthorfiction.com/; Symantec Security Response Hoaxes - http://www.symantec.com/avcenter/hoax.html; McAfee Security Virus Hoaxes - http://vil.mcafee.com/hoax.asp

 

10. Protect yourself while shopping online. Use and maintain anti-virus software, a firewall, and anti-spyware software. Keep software, particularly your web browser, up to date. Do business with reputable vendors. Take advantage of security features like secure passwords and encrypting information between your computer and the vendor’s website (look for the “lock” symbol in the browser or the website address beginning with “https” rather than “http”. Use a credit card rather than a debit card. Check your statements for any unusual or unauthorized activity.

 

Hopefully these tips will help you and those around you to have a happy holiday and reduce the risk of an unwelcome holiday event due to being uninformed. Please feel free to share these tips with your friends and family to help increase awareness and reduce risky behavior.

 

See the CERT Cyber Security Tips website for more information like this.

Oct 6 2008   1:12PM GMT

Did you see this? - Process monitor now does TCP/UDP monitoring

Posted by: Troy Tate
administration, Networking, forensics, Security, tools, Microsoft Windows, Monitoring, reporting, internet, LAN, debugging, Data security, malware, performance monitoring, recovery, Microsoft, anti-virus, troubleshooting, Performance, howto, network analysis, Sandbox, packet capture, research, diagnostics, Sysinternals, toolkit, analysis

If you ever need to get under the covers of running Windows processes for investigating why a system is running slow, then the Sysinternals toolkit has an updated tool that will help you. Per the website:

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Process Monitor runs on Windows 2000 SP4 with Update Rollup 1, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista as well as x64 versions of Windows XP, Windows Server 2003 SP1 and Windows Vista.

I had previously talked about the Sysinternals Live website. This update to one of the excellent tools is well worth your time in investigating. Take a look at the updated tool here. The entire Sysinternals toolset can be found here.

If you have not used these tools yet, then you are definitely missing a critical item for being successful in your IT position. Check them out… it may save your reputation some time!

Oct 3 2008   7:59PM GMT

Did you see this? - Open Source Tools University

Posted by: Troy Tate
administration, Networking, Firewalls, forensics, Security, tools, Monitoring, reporting, internet, IT education, WAN, LAN, debugging, Data security, SSL, performance monitoring, blogging, design, anti-virus, troubleshooting, Performance, howto, network analysis, Sandbox, Metrics, wireshark, packet capture, research, blog, podcast, diagnostics, toolkit, analysis

If you are like me, you like those little goodie tools like nmap and wireshark that do something that is actually pretty complex but do it well and have a great following. I just came across this website that I am going to have to take some time to go through and find all of the nuggets it offers. Hope you get some use out of it too and let us know what you discover and how it made your job easier.

LoveMyTool

There are presentations on this site like the Wireshark IO Graph for Response Time Analysis (by Ray Tompkins).This should be a great online learning experience. You will find contributors like Sake Blok, a Wireshark Core Developer and Denny K Miu of StartupforLess.org - A Survival Guide for Bootstrapping Entrepreneurs

Sep 3 2008   7:28PM GMT

Did you see (listen to) this? - Podcast on preventing spam

Posted by: Troy Tate
administration, Security, tools, reporting, internet, DataManagement, IT education, spam, email, Data security, Policy, Exchange, anti-virus, Performance, howto, Metrics, risk, awareness, podcast

An audio podcast on how SPAM is generated along with an examination on the frameworks and technologies that help manage and reduce SPAM.

This may be a great tutorial for you and/or your users.

CERTStation Media - Spam-Prevent.mp3

I just ran my monthly e-mail statistics and these are the results:

97,000 msgs/day inbound

8,800 msgs/day delivered to end users - 9%

22,200 msgs/day quarantined as spam - 23%

66,000 msgs/day blocked as spam - 67%

This month had higher than normal quarantine activity. Quarantine has been running about 15% and blocking around 75%.  How does your mail stack up?

Thanks for your time. Let’s be good network citizens together & practice safe networking!