Slashdot Mirror
Internet Security Warnings
Juha-Matti Laurio writes "Internet Storm Center's Diary reported today: Due to a number of very well working Windows exploits for this weeks patch set, and the zero-day Veritas exploit, we decided to turn the Infocon to yellow. The following Internet Threat Level meters are at level 2/4 because of Windows Plug and Play vulnerability's several exploit codes too: Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon."
To the security departments of companies the elevated levels mean that we have something new to pay attention to that we haven't been looking for before. Certainly being green doesn't mean that we can let our guards down.
Applying these alert levels doesn't make any sense at the individual level, for the exact reason you gave.
Jerry
http://www.cyvin.org/
Correct me if I'm wrong but haven't there already been warnings about Plug and Play prior to this? I know at least one security website that had warnings about Plug and Play a long time ago, along with a handy utility to disable it. See below.
http://grc.com/UnPnP/UnPnP.htm
You'll notice this was circa December 2001, fully 4 years before these new exploits.
Windows is dying.
.exe. I know far too many people who are e-card addicts, and I am SURE they would have clicked.
Well, it's deathly ill, mostly. The average Windows end user is in a never ending battle against the baddies. They buy their systems at the Best Buy, bring them home, run for a couple of months, and then complain that they can't login.
Then they call me, or someone like me. With disdain, I inform them that I'm wicked busy but I'll do it "this time".
When I get my grubby hands on their machines, they're fubar. It's not for lack of trying either, because there are multiple Virus, Trojan, and Firewall apps, all fighting over the same machine, including the odd fake anti-trojanwares. You know the one's I'm talking about. We've all seen them. "Click here for a FREE security scan!" and then the machine gets YET another bit of evil.
I simply don't know what to do anymore. I clean them up, set up security, knowing - just KNOWING that it's all in vain. Just yesterday, I got an "e-postcard" in the mail, and it was just an overt attempt at infection. There wasn't anything that would trip an AV or firewall in the mail, just an obfuscated link that actually pointed at a crypically named
Toast. Totally goddamn toast. The fact that Windows programs have their execute bit as part of the filename is probably the worst thing ever to happen to an OS. One click, and yet another "svchost.exe" process. No lube, no kiss, no reach-around, just total PC anal rape.
And without a total redesign of Windows or dumping the platform for Apple or Linux, Joe and Josephine User are SOL. Vista is going to be more of the same, as it's going to be simply XP SP3 with more chrome.
Ah well.
If anyone knows anything about a0190313376667.gif.exe, mail me at my alias AT Entropy dawt TMOK dawt com. There's hardly anything on the 'net about it except some German blogs.
--
BMO
The patches for Windows are already out: click
Critical updates can still be obtained without passing WGA.
One happy customer :-)
You are correct. We want the infocon to stay at green most of the time and only raise it when necessary. Think about this, if we keep it at yellow all the time, it would eventually lower people's perception of the current threat. Trust me, we do try very hard to only raise it when necessary and appropriately.
Disclaimer: I am one of the ISC guys.
the final two paragraphs you quoted are not from the email, but are PJ's comments on the matter... please give proper attribution NEXT TIME... for our regular readers, here's the link to the proper article he quoted from...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
I guess someone over at ISC had to blow the dust off the colo(u)r sensor (grins), but seriously, not much on the radar to panic anyone right now. Still, if you aren't awake you really ought to add ISC to your
morning newspaper (wakeup + gallon of coffee) along with some others, so for the sake of people who don't grok the need to be aware (but: go read doug adams and don't panic as well!):
Here goes: (sometimes costs me an hour in the morning, but it's worth the effort...).
http://www.dshield.org/ http://secunia.com/ http://vitalsecurity.org/ http://www.f-secure.com/weblog/ - gossip and just
plain fun (cough) dilbert (cough).
(many others, but i'm tooo lazy on a sunday morning to write em...).
Oh, and be sure to replace the windows task manager with the wonderful (process explorer)
over at the always splendid Mark Russinovich's sysinternals.com (it'll save you when your friends machine gets pwn3d). (hint: it shows tcp/ip connections so you can see if ET is phoning home).
Finally, no list would be complete without a pointer to "comp.risks" (google groups ok?). Laugh. It helps...
cheers all,
Andy.
More often than not these days, the real tough buggers have randomly generated process names. Here's how I clean a machine:
.
.
.dll that is registered and can't be removed. Never fear! Write down the .d
Tools required:
Process Explorer(procexp) from http://www.sysinternals.com/
autoruns.exe from the same, or hijackthis.exe from http://www.merijn.org/
Any good virus scanner(McAfee's Enterprise scanner is decent. Use a simple scanner if possible, not a scanner/firewall/spam filter/personal servant. It will be generally be faster and simpler.
Ad-Aware from http://www.lavasoft.de/
LSPFix from http://www.cexx.org/lspfix.htm/
Updated Stinger from McAfee http://vil.nai.com/vil/stinger/
Experience enough to know valid windows processes and files.
Have all of this on a USB drive or CD. Will probably fit on a 64mb drive, unless your virus package is bulky.
Boot to safe mode
Start Task Manager or Proc Explorer and kill anything that doesn't look good, or everything that you know isn't part of windows. You could go to Control Panels:Admin Tools:Services and stop all services first, this will narrow the field.
Run Stinger, just let it scan memory and running apps. Don't wait for it to do a full system scan.
Run Ad-Aware, do the same. Just trying to ditch bad things that are actually running.
If you've gotten this far in 15 minutes, the machine probably isn't in too bad of shape. Dump all temp files, c:\temp, c:\winnt(windows)\temp, c:\documents and settings\username\local settings\temp, c:\documents and settings\username\local settings\temporary internet items
Update virus definitions and do a full scan. Latest SuperDAT from McAfee or Definitions from Symantec or whoever you use, should also be put on the USB drive or CD.
So, virus scan didn't deal with it, or couldn't stop/remove it? This is where it gets tricky and completely manual. This is the point where most people give up, since you really need to know what should be where in Win2k/XP/2k3. I'm really not thinking of 95/98/Me, if those are hosed just wipe it clean and move to XP home for $99-199
Run HiJackthis and look for gremlins. This tool really requires an eye for what is supposed to be there, but pay special attention to startup objects and BHOs(Browser Helper Objects aka evil Internet Explorer plugins)
Add/Remove programs. Go through it with the client. Anything they don't recognize, or know they don't need, ditch. This can be risky, since people forget, but compared to a reinstall . .
Now for the real manual part . .
Run lspfix and check for foreign entries. There are normally 2-4 LSP's present. I usually only do this if there are persistent network failures.
Check Hosts file at c:\winnt(windows)\system32\drivers\etc\hosts There really should only be one entry in here, for 127.0.0.1 localhost. You may have already checked this with hijackthis
Browse to c:\winnt(windows). Sort by date. On a default install, the file modify dates are going to be a long time ago. If you see anything from within the last few months, get suspicious. Ignore log/text files, but don't ignore those without an extension. Do the same for c:\winnt(windows)\system32 This can be a bit trickier, there are way more files in system32 than winnt(windows), but the same rule generally applies. Anything from the last 3-6 months is suspicious.
Do the same for c:\program files Delete any empty folders that your previous uninstall didn't remove. You should have an idea what is supposed to be here, after doing Add/Remove programs, so hack and slash the folders that you don't think belong.
In one of these deleting sprees you are sure to find something bad that won't let itself be deleted, usually a
You cannot clean a compromised system with tools running within that system, even in Safe Mode. That's like asking your mayor if s/he's been bribed or not and expecting an honest answer just because the question has been posed during a public council meeting. Wipe, and install from scratch. I would count those ~2 hours as lost in the sense that the system may not have been fixed; you'd probably have been better off watching a funny movie with kith and kin.
Try googling rootkit. *nix has been around ~35 years, and not with a perfect security record. *nix admins hae been dealing with breaches for a long time. While the *nix mindset has come up with clever tricks to detect rootkits I have yet to hear anyone sucessfully defend cleaning any system from within itself. The problem with this approach has nothing to do with *nix and applies across multiple platforms. Because the system is compromised, you can't trust ANYTHING the system tells you about itself, or any tools that use the system to gather information about the system.
I'm hard pressed to imagine an operating system where this would not be the case, but perhaps others would enlighten me.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
I fully agree. My home network is made up of 3 OS X machines and one windows box for when necessary. With OS X, I could actually agree that the best fix for a compromised machine(were it to happen) would be a reinstall, since there's nothing user specific in the System directory anyway.