• Modern persistence hooks into the OS – Make it very difficult to remove without damaging the host OS.
• Ability to use a low level API calls to carve out new disk volumes totally hidden from the infected victim, making traditional disk forensics impossible or difficult.
• Sophisticated and stealthy modification of resident system drivers to allow for kernel-mode delivery of malicious code.
• Advanced Antivirus bypassing mechanisms.
• Anti Forensic Technology – ZeroAccess uses low level disk and filesystem calls to defeat popular disk and in-memory forensics tools.
• Serves as a stealthy platform for the retrieval and installation of other malicious crimeware programs.
• Kernel level monitoring via Asynchronous Procedure Calls of all user-space and kernel-space processes and images, and ability to seamlessly inject code into any monitored image.

If those elements do not scare you, then consider this information from the same article:

Symantec reports that 250,000+ computers have been infected with this rootkit. If 100% of users pay the $70 removal fee, it would net a total of $17,500,000. As it is not likely that 100% of users will pay the fee, assuming that perhaps 30% will, resulting $5,250,000 in revenue for the RBN (Russian Business Network) cybercrime syndicate.

There’s real money changing hands with malware today. It is no longer script kiddies or basement geeks getting jollies with causing issues on a few computers.

Thanks for reading & let’s continue to be good network citizens and track down & prosecute those that are not.

Thanks for reading & let’s continue to be good network citizens!

I find this article humorous but at the same time frustrating with the comment about current threats:

… the top hacking methods of cross-site scripting and SQL injection had not changed in the past six years.

“One, it tells me that the bad guys go with what they know, and two, it says the developers aren’t listening”

How should this message be delivered to developers? Why are these threats still showing up in the top 5? If you are a developer or a CISO, let me and other ITKE readers know how you handle these security issues. Thanks for reading and let’s continue to be good network citizens.

This keeps us support folks ever mindful of maintaining robust secure systems that are capable of doing the required job. I wonder how much attention the IT support staff at Spainair will have now that this report has been released.

What do you think should happen to the IT support staff? How do US airlines handle client computer security to prevent a similar event from happening? Leave your comments for other ITKE readers. Thanks for reading & let’s continue to be good network citizens!

I proposed some options in 2009:

Should computers be “licensed” or “permitted” to be on the internet to reduce threats to unsuspecting users? That’s a thought for you… what governing body would issue these computer use permits? What would the rate infrastructure be like – based on processor/memory or bandwidth? Where would the permit fees go? Would there be some internet oversight body that uses the fees to have inline malware filters?

Would these still be valid options? I mean there is real money involved with the losses due to malicious software. Who is responsible for the loss? Is it the non-technical home user who does not keep their system updated because they do not know what to update? And if they do update it, how do they know the update source is credible? How many times have you gone to a website (think Facebook) and see that your Flash software needs updated? This is an example of a prime target for malvertisers. What would you suggest? Leave some feedback for me and other ITKE readers.

Thanks for reading and let’s continue to be good network citizens!

Muster.e infects the “imepaden.hlp” help file. This help file is used for Microsoft IME – input method editor. IME allows a user to enter characters or symbols not found on their input device. So, a user with a Western keyboard could enter Asian characters. This help file can be viewed normally even when infected. The infection creates a system service that extracts the virus executable portion from the help file after each reboot. So, even if you clean out the registry key and remove the malicious file it creates, the device remains infected due to the compromised “imepaden.hlp” file.

McAfee does mention that their AV product does detect and clean this infection. However, this research shows another trick that attackers use to maintain a foothold on infected systems. When was the last time you were working on an infected system and asked the user about what HLP files they had been looking at recently?

Thanks for reading & let’s continue to be good network citizens!

What strikes me as interesting about this attack is that the focus is on Microsoft’s Internet Explorer 6. Internet Explorer 6 was released in August 2001. Internet Explorer 7 was released in October 2006. Internet Explorer 8 was released in March 2009. So, the recent attacks focused on a 8+ year old application that has been superceded by two full revisions. Didn’t anyone use automatic updates to update their IE? What kept people from updating IE?

I know that Microsoft has released an out-of-cycle update to address the vulnerability. This is a cumulative update for all currently supported of Internet Explorer. So, will this update get applied to at-risk systems? Hmmm… I wonder since it appears that there is little movement off of older versions of Internet Explorer. The attacks were on well known organizations (Google, Adobe, Juniper). Why would they still be using this older version of IE? It seems like this would raise questions about Microsoft’s penetration of newer operating systems like Vista which would be running IE7.

IE7 had issues with compatibility and html standards. IE8 is much better. Is the compatibility issue so significant that organizations stayed on IE6 rather than moving to IE7 and/or IE8?

Please share your thoughts.

Thanks for reading and let’s continue to be good network citizens!

1. Do not apply operating system patches.

2. Do not apply application patches.

3. Do open emails from unknown sources.

4. Do open attachments on emails from unknown sources.

5. Do open unexpected attachments appearing to be from known sources. “I’m sure this person meant to send me this PDF file.”

6. Do purchase and install a program which is supposed to fix the detected viruses on your computer. “I was just browsing the web and this window popped up saying I was infected and could fix all my problems with this 2010 SuperAntiMalwareAntiVirusFirewallPreventBuggySoftware application.”

7. Do follow instructions found in an email supposedly from the IRS, a banking institution or FBI asking for personal information including mother’s maiden name and social security number. The information should be entered on the website link shown in the email.

8. Do blindly click on the link shown in the email supposed to be from the trusted source. Just because the displayed link shows www.mytrustedbank.com and the clicked link shows www.mytrustedbank-com.gotchanow.cn.ru doesn’t mean that the message shouldn’t be obeyed.

9. Do go ahead and install the unsolicited Flash update on your computer. Surely that attached video won’t infect my 2010 SuperAntiMalwareAntiVirusFirewallPreventBuggySoftware protected computer.

10. Do not pay attention to that person over there saying they were infected when they ran the 2010 SuperAntiMalwareAntiVirusFirewallPreventBuggySoftware application. Surely they are not as smart as you.

What other steps would you suggest for becoming malware infected? Share your comments. <remove tongue from cheek>

Just thought I would share these tips with you. If you got this far, you might find this entry in the McAfee Security Insights blog interesting – Operation “Aurora” Hit Google, Others. Basically the attack was multi-layered. It began with social engineering and ended up with outbound data being sent to unknown attackers. It makes for some very interesting reading.

Thanks for reading & let’s continue to be good network citizens!

A new search engine recently came to my attention that every network person needs to be made aware of. This search engine is called Shodan – a computer search engine. This search engine will allow a user to search for various strings returned when connecting to ports like ftp, ssh, telnet and http. This means I could put in a search string like “cisco country:us port:23“. This would return search results that show any device returning a banner on port 23 (telnet) that has the word “cisco“.

This is scary stuff! This is similar to doing a network scan using nmap and grabbing banners from ports, but this search engine makes scanning individual hosts obsolete.

Here’s an interesting blog post about Shodan: Is SHODAN really controversial? The author followed it up with Taking SHODAN for a spin. Check out the results from this Google search for “Shodan computer search“. If some of those threads don’t scare you, then… maybe you are not an IT person!

Looks like I need to spend some time visiting Shodan to see if there’s some tightening up I need to do on systems I manage! Have you tried Shodan or anything similar? Share your experiences with other ITKE readers.

Thanks for reading and let’s continue to be good network citizens.

http://live.sysinternals.com/toolname.exe

and run the tool from a web browser. This means that you always have access to the latest valid version and can use the tool anywhere you are that has internet access.

One of the tools I most frequently use is the PsExec tool. PsExec is a command-line tool that lets you execute processes on remote systems and redirect console applications’ output to the local system so that these applications appear to be running locally. There are several command-line options on this tool so please read the documentation carefully to understand how to use this powerful tool.

The following is an example of how to use PsExec to remotely fight a system infected by malware. Note that this access works ONLY if you have administrative access on the remote Windows host.

The first step in accessing the remote system is to run the psexec command shown below where the IP address or name after the “\\” characters is the remote system. This particular command runs the cmd.exe executable that should already exist on the remote system at the IP address starting with 10. and ending in .29. In this case, the remote system is Windows XP.

One thing that a lot of malware does today is open up network connections to other machines or to the internet to spread an infection or get additional instructions. To see where this remote computer has made connections, I issue the netstat -an command. Using PsExec with the remote CMD shell is just like I am sitting at the console of the remote system so I can see the results on my screen even though the netstat command is being processed by the remote computer.

Nothing seems too amiss here. All of the remote (foreign) connections appear valid and using standard Windows ports for communication. But WAIT! This system is listening on a very strange port. What application is listening on port 22347? We can find this out using the netstat -ano command like shown below. The results show us the PID or process identifier number of the executable.

From these results, we see that the PID listening on port 22347 is 1820. So, the next step is to run tasklist to list running processes. Remember, we are doing this on a remote machine! Isn’t this cool?

Ahhh… so the executable of interest running on port 22347 and PID number 1820 is WkSvW32.exe. This doesn’t sound familiar to me. So, I need to find out what it is. How can I do that remotely? How about just running the DIR /s command at the root of the drive and see what the path is to the WkSvW32.exe executable is?

FOUND IT! The WkSvW32.exe program is in the C:\Program Files\WIBUKEY\Server folder. In this case the WIBUKEY application is supporting a license dongle for a legitimate business application. However, what if the executable had been something malicious? Well, then you would need to take some steps to get a copy of the malicious executable for forensics and identification. The machine would then need to be isolated and cleaned if possible. Do you have additional special procedures for handling malicious software like this? Please share your tips and tricks with other ITKE readers.

This article is meant to just scratch the surface and give a very practical use of the PsExec tool from the Sysinternals toolset. Other tools may be described in future entries. What tool(s) would you like me to focus on in future articles?

Thanks for reading & let’s continue to be good network citizens!