Security

2009 Aug 22

Documents and Links

Phishing

Security Standards

Tools & Info

As always, research everything before removing it. Some weird looking files might be system/program critical. Steps for finding virsus and malware.

• First you need to get your system up-to-date and remove all old security holes. this includes removing the old versions and updating to the latest for all your malware protection/scanners and stuff like Java and browsers that can be exploited.
• Throughout the removal steps, use ProcessExplorer to monitor the behavior of processes. It can also be used to kill the ones you know are bad if you are not going to scan on the current boot. Killing "may" prevent the virus behavior and "may" prevent new viruses from being added.
• At this point I would start a forum post, some times it may take a few hours/days before an expert responds. They will usually have you run some scans and post the logs for your initial post, read the forum rules. I would keep moving forward with the rest of thes steps and lean on the experts for help with researching weird processes. Always keep them updated with what you have done though.
• Reboot into Safe Mode and run CleanIt!
• Reboot into Safe Mode and run HijackThis! and research and remove all malicious entries. You might want to consult the forums.
• Reboot into Normal Mode and do NOT do anything except run Kapersky scan. Research the results, remove what you can/know-is-bad. Consult the forum experts if you have any questions.
• Reboot into Normal Mode and do NOT do anything except run Panda scan. Research the results, remove what you can/know-is-bad. Consult the forum experts if you have any questions.
• Reboot into Normal Mode and do NOT do anything except run RootkitRevealer. Research the results, remove what you can/know-is-bad. Consult the Sysinternals forum experts if you have any questions.

Getting rid a of a root kit

• I copied the path of the file that Spybot caught adding itself to the registry. This is a bad file.
• Load ProcessMonitor and set it to monitor on startup
• Reboot (into normal mode)
• once the pc settles after startup, load ProcessMonitor. It will prompt you to save the startup log, do so. It should also load it into the ProcMon.
• In ProcMon, add a Filter {Path . is . <pathOfBadFile>} for every bad file path you have.
• If events show up after filtering, go to their Properties, and then the Process tab.
• Under Modules, look at each of THEIR properties. The ones with no information (no company and no version, etc) or any suspicious ones, research. In my experience the ones with no info were there bad ones.
• Copy-paste all the paths of the modules you KNOW are bad into a new text file. One path on each line.
• I then added those paths to the Brute Force Uninstaller input file. Ran BFU. Rebooted.
• Turn on Windows Firewall (turned off by attack), updated Windows, scan again.

Web Errors

• Privilege escalation and misconfigurations
• Scrub Webcode to eliminate comments
• Do not use human readable function names
• Do not use standard file names (e.g. AdminNewUser.aspx admindefault.aspx)
• Do not show paths
• Do input validation
• View system message

2005-2009