Defending Your Machine

0 views
Skip to first unread message

Frank Bohan

unread,
Sep 5, 2005, 8:04:56 AM9/5/05
to
Lots of useful advice and links:

http://defendingyourmachine.blogspot.com/

===

Frank Bohan
ś Beware the legless man who teaches running.


John Corliss

unread,
Sep 6, 2005, 5:59:58 AM9/6/05
to
Frank Bohan wrote:
> Lots of useful advice and links:
>
> http://defendingyourmachine.blogspot.com/

Thanks for the link, Frank. There really is a lot of good stuff there.
However, I see there's still no way (freeware or website) to detect
rootkits on ME or W9x. From what I've read about rootkits, it looks to
me like they exploit a weakness in Windows that possibly was brought
about by Microsoft wanting to hide folders and files on a person's
system for whatever agenda, theirs or the governement's.

IMO rootkits will eventually drive those of lower financial means off of
the internet.

--
Regards from John Corliss
My current killfile: aafuss, Chrissy Cruiser, Slowhand Hussein and others.
No adware, cdware, commercial software, crippleware, demoware, nagware,
PROmotionware, shareware, spyware, time-limited software, trialware,
viruses or warez please.

REM

unread,
Sep 6, 2005, 7:58:30 AM9/6/05
to

> John Corliss <jcor...@fake.invalid> wrote:

>>Frank Bohan wrote:
>> Lots of useful advice and links:

>> http://defendingyourmachine.blogspot.com/

>Thanks for the link, Frank. There really is a lot of good stuff there.
>However, I see there's still no way (freeware or website) to detect
>rootkits on ME or W9x. From what I've read about rootkits, it looks to
>me like they exploit a weakness in Windows that possibly was brought
>about by Microsoft wanting to hide folders and files on a person's
>system for whatever agenda, theirs or the governement's.

From previous reading, root kits came about in UNIX before we had a
graphical web. The problem is that languages like C contain methods
that can be used grab control, regardless of the OS.

>IMO rootkits will eventually drive those of lower financial means off of
>the internet.

If a person gets and executes bad code then bummer. That's a given in
dealing with the internet.

A good approach is to have a dedicated internet machine that contains
no sensitive data. A jump drive can transport files to another
machine.

I just setup my old 98SE machine for my daughter. I created three
bootable partitions with Ranish and installed XOSL as the boot
manager. After getting the first partition installed and setup I used
xxcopy to clone to the other two bootable partitions.

Now if something happens to the first partition she can use the second
until I get a chance to repair it.

When I do repair, I log onto the backup partition (passworded) and
format the other two partitions and xxcopy everything back.

It takes 30 minutes or so, versus days, to repair the two partitions
and get everything booting again. If things get bad with root kits and
such you could do this everytime you boot to be assured that you are
booting up clean.

A batch file on the backup drive can format and xxcopy and reboot.

I cannot think of a better approach than "throwing out the bath water"
and running a fresh tub when in doubt.


David

unread,
Sep 6, 2005, 9:52:33 AM9/6/05
to
On Tue, 06 Sep 2005 02:59:58 -0700, John Corliss
<jcor...@fake.invalid> typed furiously:

>Frank Bohan wrote:
>> Lots of useful advice and links:
>>
>> http://defendingyourmachine.blogspot.com/
>
>Thanks for the link, Frank. There really is a lot of good stuff there.
>However, I see there's still no way (freeware or website) to detect
>rootkits on ME or W9x. From what I've read about rootkits, it looks to
>me like they exploit a weakness in Windows that possibly was brought
>about by Microsoft wanting to hide folders and files on a person's
>system for whatever agenda, theirs or the governement's.
>
>IMO rootkits will eventually drive those of lower financial means off of
>the internet.

I heard that Win9x/ME lacked the hooks for rootkits to attach
themselves and were not vulnerable.
--
David
Remove "farook" to reply
At the bottom of the application where it says
"sign here". I put "Sagittarius"

Art

unread,
Sep 6, 2005, 9:58:48 AM9/6/05
to
On Tue, 06 Sep 2005 06:58:30 -0500, REM <REMbr...@inu.net> wrote:

>I just setup my old 98SE machine for my daughter. I created three
>bootable partitions with Ranish and installed XOSL as the boot
>manager. After getting the first partition installed and setup I used
>xxcopy to clone to the other two bootable partitions.
>
>Now if something happens to the first partition she can use the second
>until I get a chance to repair it.

Best to use removeable media. I use a drive tray so my cloned backup
drives can plug in and out.

Art

http://home.epix.net/~artnpeg

Art

unread,
Sep 6, 2005, 10:07:30 AM9/6/05
to
On Tue, 06 Sep 2005 23:22:33 +0930, David <faro...@picknowl.com.au>
wrote:

>>IMO rootkits will eventually drive those of lower financial means off of
>>the internet.
>
>I heard that Win9x/ME lacked the hooks for rootkits to attach
>themselves and were not vulnerable.

If so, Symantec is wrong about affected OS in this description:

http://securityresponse.symantec.com/avcenter/venc/data/hacktool.rootkit.html

Or maybe there are roots and then there are rootkits, if you know what
I mean :)

Post your question on one of the virus lists. Someone may know for
sure, one way or the other. I haven't yet researched the question.

Art

http://home.epix.net/~artnpeg

Message has been deleted

REM

unread,
Sep 6, 2005, 10:37:31 AM9/6/05
to

> Art <nu...@zilch.com> wrote:

>> REM <REMbr...@inu.net> wrote:

>>I just setup my old 98SE machine for my daughter. I created three
>>bootable partitions with Ranish and installed XOSL as the boot
>>manager. After getting the first partition installed and setup I used
>>xxcopy to clone to the other two bootable partitions.

>>Now if something happens to the first partition she can use the second
>>until I get a chance to repair it.

>Best to use removeable media. I use a drive tray so my cloned backup
>drives can plug in and out.

I just gave her my old 512 meg drive and I bought a 1 gig drive. The
98SE machine would not recognize the newer drive. I did not get a
chance to mend this before she left.

I think I'd have to create an image with compression to get it on a 1
gig drive. I installed my old software, Word, Excel, etc. since I have
no need for them anymore. We got her a cool HP printer\copier\scanner
and the software to run that thing was enormous! Unbelievablly huge!
It is a great machine though. Well, when we see how much ink they put
into the cartriges it'll be final..

I don't really like the multiple (a bunch of) CDs method of backing
up.

I'm using two drives to save to. Using XOSL I hide all partitions from
each other. I unhide a partition when I want to clone back a clean
copy. This makes the hidden partitions show as non-MS partitions, so I
don't think that malware can touch the hidden backups.



REM

unread,
Sep 6, 2005, 11:35:08 AM9/6/05
to

> Mel <M...@nospam.com> wrote:

>> David wrote:

>>I heard that Win9x/ME lacked the hooks for rootkits to attach
>>themselves and were not vulnerable.

>That's funny: I heard that DOS is Vulnerable to RootKits.

Some of the pages I've browsed before:

http://www.f-secure.com/v-descs/rootkit.shtml

"Rootkit (generic description)

Rootkit is usually a standalone sofware component that attempts to
hide processes, files, registry data and network connections. Rootkits
are typically not malicious by themselves but are used for malicious
purposes by viruses, worms, backdoors and spyware. A virus combined
with a rootkit produces what was known as full stealth viruses in the
MS-DOS environment."

"Windows 95, 98, ME

If Windows 9x operating system is used, it is recommended to restart a
computer from a bootable system diskette and to delete an infected
file from command prompt. For example if a malicious file named
ABC.EXE is located in Windows folder, it is usually enough to type the
following command at command prompt:

DEL C:\WINDOWS\ABC.EXE

and to press Enter. After that an infected file will be gone."


http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1068924,00.html

"One new tool that helps you fight root kits is RootkitRevealer from
Sysinternals, a Web site that provides utilities and source code
related to Windows NT/2000/XP/2K3 and Windows 9x, Windows Me
internals.

Every exploit has to start off by being a file somewhere. Since root
kits go to great lengths to conceal their presence from the system as
a file, RootkitRevealer uses this very tactic against them. It works
by taking two manifests of the contents of the system -- one via the
standard file system or Registry APIs, and another by reading the raw
contents of the file system or the Registry (depending on how the root
kit hides) and comparing the two. Wherever there are differences
between the two, that's usually a telltale sign that a root kit is at
work."


Pretty technical:

http://www.securiteam.com/securityreviews/5FP0E0AGAC.html


My view:

First line defense: A user has to be tricked into executing the code,
or exploited somehow. The mhtml exploit could easily be used for
anyone who is not patched. Do the critical updates and use caution!

Second line defense: Reinstall the boot partition regularily. Save
data and files, etc. to a dedicated data partition. Every so often it
will be necessary to create a new boot partition image with new
critical updates and other program updates. Start from scratch with a
fresh image re-install, patch, update, create a new image file.

As bad as these things are, it's more of a pest problem if steps are
taken to refresh the boot partition and nominally good judgement is
used in deciding what gets executed.

Yortuk Festrunk

unread,
Sep 6, 2005, 12:11:30 PM9/6/05
to
On Tue, 06 Sep 2005 02:59:58 -0700, John Corliss wrote:

> From what I've read about rootkits, it looks to
> me like they exploit a weakness in Windows that possibly was brought
> about by Microsoft wanting to hide folders and files on a person's
> system for whatever agenda, theirs or the governement's.
>
> IMO rootkits will eventually drive those of lower financial means off of
> the internet.

Jesus, what a fuckken tool you are. Idiot.

roadster3043

unread,
Sep 6, 2005, 3:43:45 PM9/6/05
to
Yortuk Festrunk <"Yortuk Festrunk"@snl.com> wrote in
news:asokbbhwqdzb$.det9q191...@40tude.net:


> Jesus, what a fuckken tool you are. Idiot.
>

Another one for the Plonk! list. :)

Message has been deleted

Jim Byrd

unread,
Sep 6, 2005, 6:25:55 PM9/6/05
to
Good link, Mel. I found this particularly noteworthy:

"There are some experimental systems that seek to measure untoward network
behavior and isolate

machines that are behaving in an anomalous manner. Automated measures at a
larger scale

may be necessary to cope with the increasing virulence and speed of malware.
Consider:

. The Brain virus, introduced in 1986, required 5 years to reach its maximum
level of spread.

This was to approximately 50,000 machines, and resulted in perhaps $5
million in damages

according to some estimates.

. The Melissa macro worm, released 13 years later, spread to approximately
150,000 systems

over a period of four days. Damage was estimated to be in the vicinity of
$300 million.

. The ILOVEYOU macro worm, released in May 2000 spread to as many as 500,000
systems

in a little over 24 hours. Damage was estimated to be as much as $10
billion.

. The Code Red and Nimda worms in October/November 2001 exploited flaws with
published

fixes but still managed to compromise 500,000 systems in 14-16 hours.
Several billion

dollars in damages were estimated.

. The Sapphire/Slammer worm at the beginning of this year, also exploiting
flaws with

known patches, reached its maximum spread of 75,000 systems in 10 minutes.
It was

doubling every 8 seconds. It caused over a billion dollars in damages
(approximately

$13,000 per machine; $1.7 million per second).

Faster propagation of malicious software is possible, especially if some
preplanning is done, and

it is started by multiple entities. Greater damage is also possible."
(page 16)

--
Regards, Jim Byrd, MS-MVP
My Blog, Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/

"Mel" <M...@nospam.com> wrote in message
news:sm1sh1pjolsg8unrt...@4ax.com

> Presumably hidden files would show up if the system is booted using a
> trusted kernel and the file system scanned with a scanner that knows
> where to look for them and what to look for? I seem to remember having
> to do this reliably to detect MSDOS infection by certain viruses a few
> years ago. The problems with this approach are a bit of routine
> downtime while you run this kind of thing, maintaining separation
> between the potentially compromised and trusted scanning
> environments, and keeping malware scanning software up to date.
> Alternatively if the evidence is on the disk and the same disk can be
> simultaneously mounted read-only using another otherwise isolated
> system a similar security scan could be done without downtime. This
> will probably be followed by versions which remove themselves from
> disk when they load themselves into memory, and resave themselves to
> disk when the systems shut down.
>
> So I guess other defences might have to involve virtualising the
> environment and running this within a sandbox continually monitored
> for known attack signatures.
>
> These precautions all put up the cost of running computing
> environments which retain similar levels of reasonable trust prior to
> discovery of this kind of technique.
>
> The following is an interesting read:
>
>
http://203.162.7.79/webs/comsci/ACMComputingSurveys/www.acm.org/usacm/PDF/03-07-24spafford.pdf


Message has been deleted

REM

unread,
Sep 7, 2005, 8:31:59 AM9/7/05
to

> Mel <M...@nospam.com> wrote:

>Presumably hidden files would show up if the system is booted using a
>trusted kernel and the file system scanned with a scanner that knows
>where to look for them and what to look for? I seem to remember having
>to do this reliably to detect MSDOS infection by certain viruses a few
>years ago. The problems with this approach are a bit of routine downtime
>while you run this kind of thing, maintaining separation between the
>potentially compromised and trusted scanning environments, and keeping
>malware scanning software up to date. Alternatively if the evidence is
>on the disk and the same disk can be simultaneously mounted read-only
>using another otherwise isolated system a similar security scan could be
>done without downtime. This will probably be followed by versions which
>remove themselves from disk when they load themselves into memory, and
>resave themselves to disk when the systems shut down.

Yes. Being a PC user is one thing. Maintaining the integrity of a
network is another. This must be pretty scary for anyone in charge of
a network, and I guess to anyone of us who has personal data on that
network. The economic implications are very broad. On a personal
level, pretty much everything that is required for identity theft is
out there for the taking.

The registry would seem the best place to nail anything that deletes
itself and then saves itself back on shutdown, in Windows anyway.

>So I guess other defences might have to involve virtualising the
>environment and running this within a sandbox continually monitored for
>known attack signatures.

As simple as the code is and as many places that demonstrate this with
examples, I don't see a real database of signatures being of real
value. It might catch those that copy and paste, but "designer"
attacks would be relatively simple to write.

Another possible solution; booting from an UBCD4Win type CD for the
basic operating system. That's not realistic. But it's an option I
suppose. It would still require reboots to keep it clean and uptime
requirements simply do not allow for this.

>These precautions all put up the cost of running computing environments
>which retain similar levels of reasonable trust prior to discovery of
>this kind of technique.

>The following is an interesting read:

>http://203.162.7.79/webs/comsci/ACMComputingSurveys/www.acm.org/usacm/PDF/03-07-24spafford.pdf

Nice link!


Message has been deleted

David

unread,
Sep 7, 2005, 1:15:17 PM9/7/05
to
On Tue, 06 Sep 2005 09:37:31 -0500, REM <REMbr...@inu.net> typed
furiously:

>
>> Art <nu...@zilch.com> wrote:
>
>>> REM <REMbr...@inu.net> wrote:
>
>>>I just setup my old 98SE machine for my daughter. I created three
>>>bootable partitions with Ranish and installed XOSL as the boot
>>>manager. After getting the first partition installed and setup I used
>>>xxcopy to clone to the other two bootable partitions.
>
>>>Now if something happens to the first partition she can use the second
>>>until I get a chance to repair it.
>
>>Best to use removeable media. I use a drive tray so my cloned backup
>>drives can plug in and out.
>
>I just gave her my old 512 meg drive and I bought a 1 gig drive. The
>98SE machine would not recognize the newer drive. I did not get a
>chance to mend this before she left.
>
>I think I'd have to create an image with compression to get it on a 1
>gig drive. I installed my old software, Word, Excel, etc. since I have
>no need for them anymore. We got her a cool HP printer\copier\scanner
>and the software to run that thing was enormous! Unbelievablly huge!
>It is a great machine though. Well, when we see how much ink they put
>into the cartriges it'll be final..
>

I gave up on HP because of the cost of cartridges. I like their
machines but $AU70.00 for a black cartridge is beyond my means. Even
the generics are $AU50.00+

>I don't really like the multiple (a bunch of) CDs method of backing
>up.
>
>I'm using two drives to save to. Using XOSL I hide all partitions from
>each other. I unhide a partition when I want to clone back a clean
>copy. This makes the hidden partitions show as non-MS partitions, so I
>don't think that malware can touch the hidden backups.
>

Probably not yet, but don't rely on it in the future.

Hootowl

unread,
Sep 9, 2005, 1:57:40 AM9/9/05
to
On Wed, 07 Sep 2005 07:31:59 -0500, REM <REMbr...@inu.net> wrote:

>
>> Mel <M...@nospam.com> wrote:
>
>>Presumably hidden files would show up if the system is booted using a
>>trusted kernel and the file system scanned with a scanner that knows
>>where to look for them and what to look for? I seem to remember having
>>to do this reliably to detect MSDOS infection by certain viruses a few
>>years ago. The problems with this approach are a bit of routine downtime
>>while you run this kind of thing, maintaining separation between the
>>potentially compromised and trusted scanning environments, and keeping
>>malware scanning software up to date. Alternatively if the evidence is
>>on the disk and the same disk can be simultaneously mounted read-only
>>using another otherwise isolated system a similar security scan could be
>>done without downtime. This will probably be followed by versions which
>>remove themselves from disk when they load themselves into memory, and
>>resave themselves to disk when the systems shut down.
>
>Yes. Being a PC user is one thing. Maintaining the integrity of a
>network is another. This must be pretty scary for anyone in charge of
>a network, and I guess to anyone of us who has personal data on that
>network. The economic implications are very broad. On a personal
>level, pretty much everything that is required for identity theft is
>out there for the taking.
>
>The registry would seem the best place to nail anything that deletes
>itself and then saves itself back on shutdown, in Windows anyway.

I'm not a techie, so please inform me-wouldn't simply turning off the
computer without shutting down the system first eradicate something
like this? I know you would lose unsaved data, but...
>

REM

unread,
Sep 9, 2005, 8:02:47 AM9/9/05
to

> Hootowl <ELN/zo...@earthlink.net> wrote:

>> REM <REMbr...@inu.net> wrote:

>>The registry would seem the best place to nail anything that deletes
>>itself and then saves itself back on shutdown, in Windows anyway.

>I'm not a techie, so please inform me-wouldn't simply turning off the
>computer without shutting down the system first eradicate something
>like this? I know you would lose unsaved data, but...

Hmmm, that's an interesting thought. It should if the malware only has
a single method of making certain that it remains on the system. It
would be lost just as an unsaved word document would.

I think malware writers are using multiple methods of maintaining
control in many cases. The good side is that the more methods utilized
make for easier discovery. It will lose the stealth that is so
critical to make detection really tough.

An example is an autostart entry that silently downloads the payload.
HiJackThis will easily detect this flaw.


Reply all
Reply to author
Forward
0 new messages