Presentation is loading. Please wait.

Presentation is loading. Please wait.

So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,

Similar presentations


Presentation on theme: "So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,"— Presentation transcript:

1 So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst, Washington University in St. Louis Copyright Brian Allen This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 NSS NSO Business School Law School Arts & Sciences Medical School Engineering School Internets Decentralized Campus Network NSS = Network Services and Support NSO = Network Security Office Library Social Work Art & Architecture IS&T

3 Tools SecCheck Symantec Endpoint AV Ultimate Boot CD for Windows Knoppix Boot CD TrendMicro Online Scan Sysinternal Tools SpyBot Search and Destroy-Advanced Mode Clean It By Hand

4

5

6

7

8

9 We Interrupt This NSO Presentation For An Important Security Announcement

10

11

12 Knoppix Self contained and complete OS Will boot even if no hard drive Linux (command line) with a nice gui Knoppix has been around since 2000 Popular in the security community There are other Linux Live CDs ClamAV or F-Prot are free AV options

13

14

15

16 Sysinternals Tools I like Process Explorer Autoruns Process Monitor PSTools TCPView RootkitRevealer

17

18

19 Art of Cleaning It By Hand Favorite malware hideouts: c:\windows\system32, c:\windows\system, c:\windows\system32\drivers Find create and modify timestamps Start from that date look for more badness Look at the binary file attributes Rename or move each file as you go Purge every Temp directory Reboot, repeat

20 Current Threats Torpig, Mebroot - Sinowal Conficker worm Cutwail Rustock Grum virus BlackEnergy - HTTP-based botnet used primarily for DDoS attacks

21 Security Websites ThreatExpert Sandbox Virus Total Sunbelt CWSandbox Anubis Sandbox Norman Sandbox

22

23

24

25

26

27

28

29

30

31

32 Norman message.htm-MALWARE : INFECTED with W32/Malware (Signature: MyDoom) [ DetectionInfo ] * Filename: C:\analyzer\scan\message.htm-MALWARE. * Signature name: * Executable type: Application. [ Changes to filesystem ] * Creates file C:\WINDOWS\TEMP\zincite.log. [ Changes to registry ] * Accesses Registry key "HKLM\Software\Microsoft\Daemon". [ Network services ] * Looks for an Internet connection. [ Process/window information ] * Creates process "services.exe"". * Will automatically restart after boot (I'll be back...).

33 Case Study Dear user, We have received reports that your account has been used to send a large amount of spam messages during the last week. We suspect that your computer had been infected by a recent virus and now contains a hidden proxy server. Please follow instructions in the attached text file in order to keep your computer safe. Best wishes, The WUSTL.EDU team.

34

35 NO! DON’T CLICK ON IT!

36 So Your Computer Is Infected, Now What?

37

38

39

40

41

42

43

44 Clean vs Rebuild? Pros/Cons Discussion

45 Books Cryptonomicon – fiction Cuckoo's egg - nonfiction Safaribooksonline.com – free for wustl.edu


Download ppt "So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,"

Similar presentations


Ads by Google