Cleveland County - Welcome to the Oklahoma State Auditor and
Slide 1 - Oklahoma State University - Welcome
Transcript of Slide 1 - Oklahoma State University - Welcome
USING WINDOWS TO DEFEND WINDOWS
Scott WilsonLevi ArnoldOklahoma State University
Malware – first steps in fighting
• Recognize that something's wrong• Learn to run a scan/removal tool, like
SpyBot, SpywareDoctor, MBAM or another.
• Very excited, willing to suggest a scan as a solution to every problem they see.
Malware – next steps in fighting
• Learn about layered defenses and the difference between antivirus and anti-spyware scanners.
• Learn how to better use scanners and removal tools; know when MBAM will work better than SpyBot, know what false positives are likely to be thrown by scanners.
Begin to get past scanning
• Learn some more in-depth software tools, like the Sysinternals Utilities.
• Begin to get an idea how malware works.
Going past scanning
• Dealing with a 4-H agent’s computer• Ran SpyBot and some other
scanners, but the machine kept re-infecting itself after rebooting.
Recovery Console
• In-law’s computer• Vundo and TDSS, hybridized• Vundofix didn’t work, neither did
Avenger, neither did Combofix, neither did …
Recovery Console
• RC command “disable” allows disabling services/device drivers
• disable {[service_name]|[device_driver_ name]}
• RC also allows viewing of hidden files• Other boot disks can give similar
options, although they can be difficult to configure.
Hosts files
• County employee who loved StarWare, even though it was making her machine crash constantly.
Hosts files
• Ad-blocking host files from Mike Skallas (www.everythingisnt.com) and MVPS (www.mvps.org)also block many malware sites.
Hosts files
• Host files can also be used positively, to provide a constant reference for a machine.
Executable redirecting
• Open regedit• Browse to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
• Create a new key with the name of the process you want to block; e.g., calc.exe
Executable redirecting
• Create a new string value under that key. Name it Debugger.
• Modify the value data to be: Rundll32.Exe url.Dll,FileProtocolHandler http://www.google.com/search?q=
Executable redirecting
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe]
"Debugger"="Rundll32.Exe url.Dll,FileProtocolHandler http://www.google.com/search?q="
Executable redirecting
• Perhaps that wasn’t a good example.
Executable redirecting
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiSpyware2008.exe]
"Debugger"="cmd.exe /c echo %time% %date% >> c:\\ExecBlocked.log"
Executable redirecting
• It’s possible to call any type of executable file from the redirect, so using a batch file to script multiple actions upon malware executing is possible.
Executable redirecting
• Up side: possible to immunize the system against annoying things like AV2008.
• Possible to script events to happen to alert your IT staff when a computer gets infected.
Executable redirecting
• Down side: have to know the name of the executable or process. It’s not practical to immunize against those malware objects that generate a random name – although you can stop them executing while working on a system.
Going forward
• Learn about malware. Learn how it works, how it spreads, what the different types do.
• Learn some programming; it will help you to have some idea of how malware works.
Learning Resources - Blogs
• Mark Russinovich: http://blogs.technet.com/markrussinovich
• TrendMicro: http://blog.trendmicro.com/ • F-Secure: http://www.f-
secure.com/weblog/• Viruslist:
http://www.viruslist.com/en/weblog• Microsoft: http://blogs.technet.com/mmpc/
Learning Resources - Fora
• Geek University : Forum-based training for malware fighters. http://www.geekstogo.com/forum/index.php?autocom=custom&page=GeekU
• Bleeping Computer: Has both removal guides and excellent fora. http://www.bleepingcomputer.com/
• PC Hell: similar to Bleeping Computer. http://www.pchell.com/
Learning Resources - Other
• Email lists. Vince Verbeke has a good one – send him an email to subscribe.
• Books: Malware: Fighting Malicious Code by Ed Skoudis; Hacking Exposed: Malware and Rootkits by Davis, Bodmer and Lord (September 16th)