RE: FW: Blaster vs. Kaht2, detecting Windows root kits

From: Levinson, Karl (LevinsonK_at_STARS-SMI.com)
Date: 08/15/03

  • Next message: LordInfidel: "MS03-029 ?-Download link" 
    To: 'Amer Karim' <amerk@telus.net>, Focus on Microsoft Mailing List <FOCUS-MS@securityfocus.com>
Date: Fri, 15 Aug 2003 12:01:03 -0400

    <aside> Many people and businesses are still in the mode where they think
    you can just run antivirus and walk away from the computer. With the rise
    in use of Windows root kits and worms with IRC backdoors, a virus infection
    can be a very grave security intrusion, and first responders like
    phone-based remote help desks may not detect the intrusion if a root kit is
    keeping the antivirus from seeing the files in question. This may require
    changing attitudes and procedures, and fast.

    It's true as stated by others that the most reliable way to handle such
    compromises is to format and/or image the workstation. The problem though
    is that 1) first responders and antivirus software are likely to fail to
    detect the compromise, and 2) you still probably want to be able to detect
    and confirm that there is a compromise before you go to the trouble of
    wiping the box(es) and disabling the user(s).

    ANYHOW, most of the Windows root kits known today might be visible by one of
    the following methods. Most of the methods below depend on you being able
    to tell normal baseline Windows behavior, though having a second identical
    clean system or doing www.google.com searches might help those without such
    experience determine abnormal behavior:

    1. Use the command NETSTAT -A and/or the free Fport tool from
    www.foundstone.com/knowledge to look for suspicious programs, TCP/IP ports
    or connections. This would detect not the root kit itself but a separate
    networked program the root kit may be hiding, if there is such a program
    installed. Current Windows root kits don't seem to hide information from
    NETSTAT or FPORT, but this may not continue to be true of future root kits.
    I know doing so is mentioned the "to do" list in the readme for the Hacker
    Defender rootkit.

    2. Connect to the computer across the network from another Windows computer
    running peer to peer Microsoft Networking / Client for Microsoft Networks.
    Run an antivirus scan of the hard drive remotely, and/or try checking the
    registry entries that can start up programs or services when Windows starts,
    including but not limited to
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run and
    runonce, the same locations under HKEY_CURRENT_USER, and if you're brave,
    HKLM\system\currentcontrolset\services, etc. etc.

    3. Boot the computer or hard drive to an alternate operating system, such as
    by slaving the hard drive in another Windows system or using a special boot
    CD or floppy if you have the know-how. Then, do the items above, such as
    run antivirus, inspect registry keys, etc.

    4. Looking at firewall or IDS logs might also give clues, if you know how to
    tell normal traffic from abnormal. www.sygate.com and www.kerio.com are two
    more or less free personal firewall software for windows you might use in a
    pinch, and www.snort.org is free IDS. Again, you'd be detecting not the
    rootkit itself but a network application hidden by the rootkit, assuming
    there is one.

    5. Many times, root kits are detected because the intruder failed to hide
    everything and left traces, such as new files. For files, registry entries
    and services that are not hidden by a root kit, normal incident response
    procedures can still be helpful, possibly including inspecting which files
    have changed in the past day or week, running a tool that looks for file
    changes such as the free SIM from www.gfi.com, inspecting or monitoring log
    files, etc.

    There are other things that professionals with the time and expertise might
    do, but hopefully these are feasible ways for non-security professionals and
    first responders to try to detect a security problem.

    HTH

    kind regards,

    - Karl

    -----Original Message-----
    From: Amer Karim [mailto:amerk@telus.net]
    Sent: 12 August 2003 14:39
    To: 'Marc Fossi'
    Subject: RE: Blaster vs. Kaht2

    Out of curiosity, are there any symptomatic clues as to determining if the
    system has been compromised by Kaht2? I can't seem to find any info on the
    Symantec site.

    ---------------------------------------------------------------------------
    Your network firewall and IDS products do not prevent Web application
    attacks - the most common form of online exploitation- resulting in Web
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    ---------------------------------------------------------------------------

  • Next message: LordInfidel: "MS03-029 ?-Download link"
    • Quantcast