USING WINDOWS TO DEFEND WINDOWS

Scott WilsonLevi ArnoldOklahoma State University

Malware – first steps in fighting

• Recognize that something's wrong• Learn to run a scan/removal tool, like

SpyBot, SpywareDoctor, MBAM or another.

• Very excited, willing to suggest a scan as a solution to every problem they see.

Malware – next steps in fighting

• Learn about layered defenses and the difference between antivirus and anti-spyware scanners.

• Learn how to better use scanners and removal tools; know when MBAM will work better than SpyBot, know what false positives are likely to be thrown by scanners.

Begin to get past scanning

• Learn some more in-depth software tools, like the Sysinternals Utilities.

• Begin to get an idea how malware works.

Going past scanning

• Dealing with a 4-H agent’s computer• Ran SpyBot and some other

scanners, but the machine kept re-infecting itself after rebooting.

Recovery Console

• In-law’s computer• Vundo and TDSS, hybridized• Vundofix didn’t work, neither did

Avenger, neither did Combofix, neither did …

Recovery Console

• RC command “disable” allows disabling services/device drivers

• disable {[service_name]|[device_driver_ name]}

• RC also allows viewing of hidden files• Other boot disks can give similar

options, although they can be difficult to configure.

Hosts files

• County employee who loved StarWare, even though it was making her machine crash constantly.

Hosts files

• Ad-blocking host files from Mike Skallas (www.everythingisnt.com) and MVPS (www.mvps.org)also block many malware sites.

Hosts files

• Host files can also be used positively, to provide a constant reference for a machine.

Executable redirecting

• Open regedit• Browse to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

• Create a new key with the name of the process you want to block; e.g., calc.exe

Executable redirecting

• Create a new string value under that key. Name it Debugger.

• Modify the value data to be: Rundll32.Exe url.Dll,FileProtocolHandler http://www.google.com/search?q=

Executable redirecting

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe]

"Debugger"="Rundll32.Exe url.Dll,FileProtocolHandler http://www.google.com/search?q="

Executable redirecting

• Perhaps that wasn’t a good example.

Executable redirecting

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiSpyware2008.exe]

"Debugger"="cmd.exe /c echo %time% %date% >> c:\\ExecBlocked.log"

Executable redirecting

• It’s possible to call any type of executable file from the redirect, so using a batch file to script multiple actions upon malware executing is possible.

Executable redirecting

• Up side: possible to immunize the system against annoying things like AV2008.

• Possible to script events to happen to alert your IT staff when a computer gets infected.

Executable redirecting

• Down side: have to know the name of the executable or process. It’s not practical to immunize against those malware objects that generate a random name – although you can stop them executing while working on a system.

Going forward

• Learn about malware. Learn how it works, how it spreads, what the different types do.

• Learn some programming; it will help you to have some idea of how malware works.

Learning Resources - Blogs

• Mark Russinovich: http://blogs.technet.com/markrussinovich

• TrendMicro: http://blog.trendmicro.com/ • F-Secure: http://www.f-

secure.com/weblog/• Viruslist:

http://www.viruslist.com/en/weblog• Microsoft: http://blogs.technet.com/mmpc/

Learning Resources - Fora

• Geek University : Forum-based training for malware fighters. http://www.geekstogo.com/forum/index.php?autocom=custom&page=GeekU

• Bleeping Computer: Has both removal guides and excellent fora. http://www.bleepingcomputer.com/

• PC Hell: similar to Bleeping Computer. http://www.pchell.com/

Learning Resources - Other

• Email lists. Vince Verbeke has a good one – send him an email to subscribe.

• Books: Malware: Fighting Malicious Code by Ed Skoudis; Hacking Exposed: Malware and Rootkits by Davis, Bodmer and Lord (September 16th)