Sunday, January 13, 2008

This Weekend in Security News

How many extras did Steven Spielberg use when filming the intense and gripping 24-minute Normandy beach scene in Saving Private Ryan? I'm still not sure but it was amazing and heart-wrenching.

Some clever graphic artists decided to see if they could recapture a bit of the drama on a shoe-string budget, with just three actors and some very clever editing.

Their work is very educational and amazing.

Storming Normandy on a budget » Drawn!

Similarly, keeping systems safe and secure against threats doesn't take a hoard of thousands, with the right tools, knowledge, skills and determination, you too can win the battle against security threats.  (I'm sure having a green-screen might be helpful as well, somehow.)

Few more interesting posts on the computer security front.

On Testing Considerations

Security zone: the trouble with testing anti-malware - Computer Weekly's David Harley considers issues with testing anti-malware products.  The article itself is pretty light-reading but Mr. Harley proposes that two main issues with testing anti-malware products exist:

● For some reason anti-malware testing attracts many people who are not well-versed in testing methodologies in general.

● Even worse, it also attracts people who have a somewhat distorted idea of what this type of software is and how it works. (I will not dispute that the research community has, to some extent, brought that upon itself by cultivating a secretive, ultra-paternalist culture.)

At a technical level, this may be true of, say, a spreadsheet program, too. However, when people review a spreadsheet program or a word processing program, they take a lot for granted: when did you last see a review of a spreadsheet program that included a check of the mathematical or statistical functions?

Mr. Harley concludes that while there are some organizations that are trustworthy (he offers up Virus Bulletin and ICSA Labs as examples) what is needed is convincing other "casual testers" that they should follow improved methodologies for reviewing and testing anti-malware products.

Before I recommend a product, I do research on the Net, from other bloggers, I check forums of trusted anti-malware communities, and then I do test-runs on virtual systems.  If all these check out good, if the product is stable, not slathered in bloatware or other (to me) unneeded functions, performs a variety of scans, updates the DAT signature files frequently, and is effective at removing malware I encounter in the field, I'm usually happy.  Unfortunately, there are still a lot of rogue anti-malware products out there, waiting to mislead the desperate or the unknowing.

See also this link-laden article, also from Computer Weekly: Prevent malware infection with malware detection tools

Super-Duper Suite of Tools

Erwan's Lab - (freeware) - I'm not sure how I stumbled across this IP sniffer utility and utility suite but it is a pretty good collection. Does require WinPcap.  Includes basic networks traffic sniffing features like filter, decode, replay, parse…

The IP tools include (among other things): Bandwidth monitor, adapter statistics (IP & NDIS), a wireless stumbler, list and manage routes, enable & disable host as a router, list and manage open ports and attached processes, view network config (interfaces, adapters, parameters), spoof ARP (and do ARP cache poisoning), TCP, UDP, ICMP, DHCP, change MAC address, DNS (advanced) Query, DNS Server, Local resolver, DHCP Server (with PXE support), DHCP Discover,  Whois Query, Mail client (SMTP & MAPI). TCP tools include: TCP ping, TCP half scan, Time-Daytime client/server, HTTP Server, FTP Server, HTTP Proxy, Telnet Bouncer, FTP Bouncer, LPR Client,  UDP tools (MSSQL Ping, SNMP ping, SSDP ping, Syslog client/server, Time-Daytime client/server, TFTP server), ICMP tools (Ping, GetBestRoute, GetRTTAndHopCount), TCP/UDP bounce port.

On Microsoft networks: Spoof net send, Shutdown remote windows, Display remote windows properties, Netapi services, Terminal Services processes and sessions, Winspool services, remote drivers, remote AT jobs, remote scheduled tasks, Logged on users, Dump remote users, manage DHCP services, MS SQL processes, MS Perf counters, remote processes, remote event logs.

Password tools include: Protected storage (IE, Outlook Express, …) , LSA secrets, Dialup Passwords , XP Credentials ( MSN, network shares, …) , IE history, Reveal asterisks / hidden passwords, RDP passwords, MSAccess passwords, enum WEP keys, MS SQL enterprise manager passwords, Known default passwords.

Other / System tools include: Manage processes, Opened files, Windows Handles, Events for processes/events/files changes, bandwidth tester (based on iperf), manage windows devices, VBS script editor, WMI browser, Create maps with Graphviz, manage ACL's.

Whew!  That's a real bundle of stuff!

Screenshots at the bottom of the page.

More Trojan Spoofing of Legitimate Malware Products

The other day in my Anti-Rootkit Tools Roundup Revisited post, I mentioned that you need to beware of "fake" tools - especially hard when they take on the GUI of a trusted tool. I specifically referenced the Fake RootkitBuster Busted! post from TrendLabs Malware Blog.

Turns out they aren't the only ones...and surely won't be the last.

Prevx and Trend Micro targeted by spammers.  Seems that ant-malware company Prevx also has a rogue version of their product being offered.  This version seems to toss up a "register now" box that requests users to enter their name and email address so (at best) it is a email address harvester. However, there could be worse things lurking under the surface.

What is really alarming about this event, is that the rogue product was actually being offered for download from CNet|Download.com directly!  Even though one component that makes this site so popular is that they have tested all the downloadables and certified them as "spyware free".

This then becomes yet another reminder that just because you have "trusted download sources" you should still always scan them carefully before installing.  Check the reviews as well if offered as it was noted in the reviews here that it was a trojan by several community members.

Prevx Computer Security Investigator (CSI)

While tracking down the previous story, I checked out the real Prevx product, CSI.

Prevx CSI - (free scans) - is a tiny download and requires no installation (but apparently does have an optional "embedded" installer if you choose to use it).

Compatible with XP and Vista, the application quickly scans for active infections like spyware, Trojans, key loggers, viruses, rootkits, adware, screen watchers and many more types of malware. In my trial-runs, the product ran very quickly and found no threats.

It is free for personal and business use, but there is one "gotcha." If you want to use the product to clean your system, if anything is found, then you will have to purchase an activated version of Prevx CSI Removal and Cleanup.

So to be clear, while Prevx is freeware, it functions only as a scanner, not a cleaner.

However, if you are doing malware-response, this still might be a great tool to add to your fighters-kit.  The scans are fast and do identify the exe file causing the issue.  It might be a good "first-pass" tool to quickly see if your system has issues.  If so, you could (and should) follow up with additional freeware anti-malware tools to clean the infection, consider purchase of Prevx's CSI Removal and Cleanup program, or if you are an advanced anti-malware buster, remove it manually yourself with your wicked-l33t haxor-busting skilz.

Malwarebytes Tool Updates

Mawarebytes offers some really great tools, including their new beta product Malwarebytes’ Anti-Malware (for scanning for and removing malware), FileASSASSIN (for killing locked files), and the wonderful RogueRemover FREE (for removing rogue anti-malware products).

Two other fantastic products they have have been recently updated:

RegASSASSIN - (freeware) - Not a commonly needed tool, but it will effectively remove stubborn registry keys by resetting the key's permissions and then deleting it. New version is 1.03.

StartUpLite - (freeware) - disable or remove all known unnecessary startup entries from your computer and thus quicken the startup procedure of your system. New version is 1.07. What makes this program different from other auto-start inspectors/editors (like Sysinternal's AutoRuns) is that it doesn't offer you a list of ALL the startup group items. Instead it offers you a list of recommended auto-start entries you can safely disable without crashing your system.  It is a nice tool for newbies and those who are not sure about what they shouldn't disable, but want to try to improve system performance.  It's a clever tool and often overlooked.

Trend Micro Tools

Yes, Trend Micro took over the perennial anti-malware tool, Trend Micro HijackThis.  They have slowly continued minor updates and improvements to the program.

Now they have a new anti-malware tool worth looking into.

TrendSecure | Trend Micro RUBotted (Beta) - (freeware) - Runs on Windows 2000, XP, 2003, and Vista systems.

[It] is a small program that runs on your computer, watching for bot related activities. RUBotted intelligently monitors your computer's system behavior for activities that are potentially harmful to both your computer and other people's computers. RUBotted monitors for remote command and control (C&C) commands sent from a bot-herder to control your computer. Additionally, RUBotted watches for an array of potentially malicious bot-related activities, including mass mailing - a common activity performed by a bot-infected computer.

RUBotted co-exists with your existing AV software, providing advanced bot specific behavior monitoring. RUBotted does not rely on frequent, network intensive updates to ensure your computer's continued protection.

So you would be able to run this alongside existing security programs to monitor for malicious software activity on a system.

See also a related application ThreatFire AntiVirus (not from Trend Micro).

Of course, this gets into a discussion about just how much anti-malware protection you should have running at one time.  If you feel you need to have, say five to ten of these utilities running all at once, you might want to reconsider your web-surfing behavior or even go with an Apple or Linux operating system solution instead.  Still, I like having a variety of protective tools to offer the friends and family members I provide support to.

But that is a post for another day...

--Claus

No comments: