Presentation on theme: "So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst,"— Presentation transcript:
So Your Computer is Infected, Now What? STC/STS Tech Training 3:00-4:00, Tuesday, August 18, 2009 Brian Allen Network Security Analyst, Washington University in St. Louis Copyright Brian Allen This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
NSS NSO Business School Law School Arts & Sciences Medical School Engineering School Internets Decentralized Campus Network NSS = Network Services and Support NSO = Network Security Office Library Social Work Art & Architecture IS&T
Tools SecCheck Symantec Endpoint AV Ultimate Boot CD for Windows Knoppix Boot CD TrendMicro Online Scan Sysinternal Tools SpyBot Search and Destroy-Advanced Mode Clean It By Hand
We Interrupt This NSO Presentation For An Important Security Announcement
Knoppix Self contained and complete OS Will boot even if no hard drive Linux (command line) with a nice gui Knoppix has been around since 2000 Popular in the security community There are other Linux Live CDs ClamAV or F-Prot are free AV options
Sysinternals Tools I like Process Explorer Autoruns Process Monitor PSTools TCPView RootkitRevealer
Art of Cleaning It By Hand Favorite malware hideouts: c:\windows\system32, c:\windows\system, c:\windows\system32\drivers Find create and modify timestamps Start from that date look for more badness Look at the binary file attributes Rename or move each file as you go Purge every Temp directory Reboot, repeat
Current Threats Torpig, Mebroot - Sinowal Conficker worm Cutwail Rustock Grum virus BlackEnergy - HTTP-based botnet used primarily for DDoS attacks
Security Websites ThreatExpert Sandbox Virus Total Sunbelt CWSandbox Anubis Sandbox Norman Sandbox
Norman message.htm-MALWARE : INFECTED with W32/Malware (Signature: MyDoom) [ DetectionInfo ] * Filename: C:\analyzer\scan\message.htm-MALWARE. * Signature name: * Executable type: Application. [ Changes to filesystem ] * Creates file C:\WINDOWS\TEMP\zincite.log. [ Changes to registry ] * Accesses Registry key "HKLM\Software\Microsoft\Daemon". [ Network services ] * Looks for an Internet connection. [ Process/window information ] * Creates process "services.exe"". * Will automatically restart after boot (I'll be back...).
Case Study Dear user, We have received reports that your account has been used to send a large amount of spam messages during the last week. We suspect that your computer had been infected by a recent virus and now contains a hidden proxy server. Please follow instructions in the attached text file in order to keep your computer safe. Best wishes, The WUSTL.EDU team.