Tuesday, August 12, 2008

Windows Security Linkfest

I’ve been sitting  on this growing stack of links for a few weeks now.

Figured I might as well get it out the door—fast and furious.

Seem - System Eyes and Ears Monitor - (freeware) – I’ve mentioned this one a few times in the past and keep wanting to get around to doing a fuller “review” but can’t find the time. (I’m still recovering from that AVG post-fest.)  Anyway, Seem is a nice (and portable) tool for viewing and exploring a whole-lot of system points including processes, system hooks, the kernel module, a service manager, Netstat, network devices (Arp), disk overviews, device viewer, startup manager, the control panel imbedded into the program, and registry tweaker.  While I don’t generally like “all-in-one’s” this utility has a whole-lot of goodness about it.  Certainly handy and worth playing around in. Works for XP systems…I haven’t messed around with it in Vista yet, if it does work, it will almost certainly need Admin elevation to work properly.

oSpy v.1.9.6 the reverse-engineering software - (freeware) – Offered by the l33t cats over at Security Database.  Although it is still in development, this is one crazy-cool tool.

oSpy is a tool which aids in reverse-engineering software running on the Windows platform. [W]hen the sniffing is done on the API level it allows a much more fine-grained view of what’s going on. Seeing return-addresses for each recv/send call (for example), can prove useful when you want to look at the processing code at that spot in a debugger or static analysis tool. And if an application uses encrypted communication it’s easy to intercept these calls as well. oSpy already intercepts one such API, and is the API used by MSN Messenger, Google Talk, etc. for encrypting/decrypting HTTPS data.

You can also use this tool for Forensics purposes. This utility can trace and reconstruct any service launched. Very helpful to bust "hidden" remote connection (malwares and other sophisticated worms.

I’ve played with it just long enough to see how it could be really useful in some network capture work with malware.  Basically you run the app on the target system, then inject/attach it to a running process and start the capture.  You can do all kinds of neat things once your capture is completed with the data.

See this ospy - Google Code page for some very short-but-sweet screencast demonstrations on its finer points and operations.  Also check in at the mov ah, 9<br>mov dx, hello_world_msg<br>int  21h blog for some more programming details and tricks for the program.

AnVir Task Manager Free - (freeware) – Another great utility find!  Spotted in a review on 4sysops blog this all-in-one utility looked too fascinating for me to pass it up.  Once installed, you can copy the program-folder to your USB stick for a “portable” version as well.  It has a well-developed GUI interface that is heavy on the tab-format.  Check out system startup items and get deails on each one/enable/disable, find dll’s and associated paths/processes, look for files in action and which process is controlling them, network connections open, monitor system performance, show information on system Windows (viewable/hidden), drivers, and along with a host of other neat and dead-useful features, you can select and upload files to VirusTotal directly from within the tool.  How neat is that?!!!  This one’s tucked away on my USB stick!

Microsoft® Malware Protection Center : How potentially unwanted software finds a way into our computers – great blog post that has some technical details and investigative work on pathways for malware infection on Windows systems.  Short read.

What is Windows Malicious Software Removal Tool (mrt.exe) and how to use it - Windows Vista for Beginners – Most times we all reach for power-house anti-malware/anti-virus tools to clean a system.  However, XP and Vista systems do contain a tool for dealing with specific threats.  This post is a fast read and shows us how to use it.

SANS ISC – Is Anti-Virus Dead? – Thought provoking post on the role of traditional signature-based malware protection.  I don’t think we have seen the end of ant-virus protection, but the threats are changing and heuristic/behavior-based protection is probably a good item to add to your Windows security protection elements.

Windows Incident Response: The Question of "whodunnit?" – Does the “Trojan Defense” still have merit?  Methinks so, but the forensic analyst has their work cut out for them.  Just because something is “discovered” on a pc doesn’t mean the user did it.  A good examiner will look for related evidence of “intent” and other clues to draw a supportive conclusion.  Unfortunately, sometime the issue isn’t with the forensic examination or examiner, the issues may lay in outdated company policy and/or failure of non-system-aware managers who are not able to understand the nuances of these elements technically.  In many folk’s minds it if is on your pc, then you are responsible.  Period.  Or, it can swing the other way…non-technical folks might buy into the “It wasn’t me it was a root-kit” explanation, despite a lack of evidence on the system. Harlan does a nice job covering this angle.

ISC SANS: Securing A Network - Lessons Learned – Great list of things to consider when securing a workstation, a server, or a network.  Good refresher material, because no matter how good you are…it can still happen to you! Hacked! And I didn't like it - URLScan is Step Zero (ComputerZen blog).

F-Secure Rescue CD 3.00 - (freeware) – I’m not sure how I didn’t know about this LiveCD tool for so long!  Download the ISO file and burn to CD.  Use to “live-boot” the target system.  The Linux system will download the latest signatures from F-Secure into memory and use them during it’s scan.  If no Internet connection is available you can load them from a USB key where they have been previously tucked away.  When malware files are located, it will rename them with a .virus extension so you can find them quickly.  Of course, if these are any key system files, it might make the target system non-bootable.  So you had better be ready for some kung-fu troubleshooting work.  Cools stuff!  I’ve added this one to my sysadmin’s CD case.

Seen this “explosive” post on the destruction of Vista security so that it is “…completely game over”?

Neowin.net – Vista’s Security Rendered Completely Useless by New Exploit

Well, turns out that may not be quite the case after all. Just you usual net-security web-hype before folks have RTFM.

Submitted for your consideration….

Whew!  I can sleep better now with these security bits!


No comments: