12 Steps to a malware free existence

This topic contains 27 replies, has 9 voices, and was last updated by  encryptedmind 6 years, 7 months ago.

  • Author
    Posts
  • #8043
     Hudson185 
    Participant

    Microsoft Windows has a long history of mass attacks launched at it with exploit kits such as Black Hole and usb spreading. Once the Windows machine is exploited banking bots are installed on that machine.  Zeus targeted Internet Explorer and Firefox web browsers. Zeus introduced form grabbing http://en.wikipedia.org/wiki/Form_Grabber and web-injects and ATS attacks using web-injects (http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_automating_online_banking_fraud.pdf). Also Zeus featured vnc (like RDP full gui access to victims machine) and backconnect (allows the botmaster to use the victim’s pc as a proxy andl also to access the victim pc file system). Zeus source code for 2.0.8.9 was leaked.

    SpyEye built on Zeus adding support for the web browsers Chrome, Opera.
    Unlike Zeus SpyEye requires a vps or dedicated server.
    SpyEye uses collector daemon and requires debian or centos server.
    SpyEye added screenshots to defeat onscreen keyboards. SpyEye also added dns changer allowing the attacker to change the dns settings of infected computers. SpyEye added webfakes plugin allowed the attacker to intercept and change the page victim machine is viewing. Also DDOS module was added and credit card grabber plugin was added.
    The hidden rdp plugin is by far the best of SpyEye’s plugins as it uses a hidden Remote Desktop session instead of vnc like zeus.The SpyEye hidden rdp daemon only works with debian or centos. SpyEy also has socks proxy plugin and a ftp plugin both uses the same backconect daemon.

    Citadel built off Zeus source code is now the prefered bot by cyber criminals.
    Citadel is a work in progress checkout http://malware.dontneedcoffee.com/2012/10/citadelupdate1.3.5.1.html for more info on citadel.

    Why do we still use Windows it’s clearly not secure.
    This failure rate is not acceptable just assume that your infected.

    Okay so Mac is secure? No not really. Mac also has Zeus like clones Weyland Yutani bot.
    http://krebsonsecurity.com/2011/05/weyland-yutani-crime-kit-targets-macs-for-bots/
    Also Mac now has rats such as netwire
    http://www.xylibox.com/2012/07/netwire-first-multi-platform-rat.html
    and Incognito
    http://krebsonsecurity.com/2011/05/something-old-is-new-again-mac-rats-crimepacks-sunspots-zeus-leaks/

    Okay Linux is secure? Currently linux only concerns are trojans such as Netwire and java trojans.

    How can we bank online safely? The answer is using a linux live cd like BT5R3-GNOME-64 wine is loaded on it and read only sd cards to store your passwords and settings on.

    First burn the iso and check the md5 sum.
    Boot the iso and insert the sd cards in write mode download your programs to the sd creat your email account and other accounts using
    a password manager such as keepass http://downloads.sourceforge.net/keepass/KeePass-1.24-Setup.exe
    once finished lock the sd cards into readonly mode.

    12 Steps to a malware free existence

    1. Use a wired connection. Wifi sucks
    http://hakshop.myshopify.com/products/wifi-pineapple

    2. Use a wired keyboard and mouse. Hacking bluetooth is closer then you might think
    http://hakshop.myshopify.com/products/ubertooth-one

    3. Use a VPN http://strongvpn.com/

    4. Use truecrypt encrypt your files on your sd card.

    5. Use a Yubikey for your truecrypt password.
    http://www.yubico.com/products/yubikey-hardware/yubikey/

    6. Use a second sd card for a keyfile if using keepass.

    7. Use two factor authentication for email a good choice would be gmail.

    8. Always use  a password generator such as keepass to create your passwords.

    9. Only use your email account on the livecd never use it anywhere else.

    10. Backup your sd card data and your Yubikey password.

    11. Use WinMD5Free works in Wine to check md5 sums of your live cd and your programs

    12. Remember that your banking computer is not a toy and only do banking on it.

  • #51013
     RoleReversal 
    Participant

    Hi Hudson,

    welcome to EH-Net 🙂

    Not wanting to pull your first post apart, but this seems to be computing for the truely paranoid. Whilst most of it is good advice, in the real world you’ve got zero chance of getting standard users to take this precautions; I’m an overly paranoid infosec guy and the only step I follow is checking the hash sums of downloaded files – and my machines are malware free (ignoring the malware there deliberately…).

    And if you’re running a ‘nix OS, why run winmd5Free under wine when you’ve (usually) got md5sum on the commandline as standard?

    Oh, and one of my primary malware-free machines? Running Windows….

  • #51014
     Hudson185 
    Participant

    Thanks for not destroying me on my first post. This was written more toward the power user crowd. I agree standard users will never do this. winmd5Free is simple to use that’s why I suggested it but you make a valid point.

  • #51015
     Triban 
    Participant

    Don’t forget to use a dedicated machine to surf pr0n  😀  I mean so I hear.

    Welcome to the forums!

  • #51016
     prats84 
    Participant

    Thanks for the post and somethings are really practical and great to implement.

    I tend to believe and follow no matter what we do. The moment your are on internet you arent safe.
    So I keep  avoid using windows cause it has a greater number of threats than *nix and OS X and use a VM to download stuff or to visit some random sites.

  • #51017
     tturner 
    Participant

    You forgot “Perform normal computing tasks as a non-privileged user and use runas or sudo when higher privileges are required”

    I’ve found taking this step prevents a huge number of infections

  • #51018
     rattis 
    Participant

    @andrew Waite wrote:

    … this seems to be computing for the truely paranoid. Whilst most of it is good advice, in the real world you’ve got zero chance of getting standard users to take this precautions; I’m an overly paranoid infosec guy and the only step I follow is checking the hash sums of downloaded files – and my machines are malware free (ignoring the malware there deliberately…).

    Actually, if it was truely paranoid, he would have said to use something like T.A.I.L.S.  instead of Backtrack. has a mode to look like windows, which makes it easier to use for a standard user. Encrypts everything going out. Read only Live CD or USB.

    Yes I use T.A.I.L.S. in hostile environments (at the university, and at hacker cons).

  • #51019
     jinwald12 
    Participant

    he forgot to mention the tin foil hats and vpn chaining

  • #51020
     jinwald12 
    Participant

    But to be honest use specific VMs are better and more cost efficient. Assuming your virtualization software is up to date its really unlikely that malware will “jump the petri dish” as it where. Also Backtrack 5 runs as root on a outdated version of ubuntu with tons of after market modifications i would not use it to do banking under most circumstances

  • #51021
     Hudson185 
    Participant

    BackTrack 5 maybe out dated but it has Backtrack 5 boot option BackTrack Forensics (http://www.backtrack-linux.org/wiki/index.php/Forensics_Boot)
    As long as you change the default root password it’s okay to run as root on a live cd. Provided you power the pc down after each session that should provide more then enough protection.

  • #51022
     jinwald12 
    Participant

    Are you crazy? It’s never a good idea to run as root the hole point of sudo/levels of privilege is to allow for “security in layers” so that way if they compromise the signed in user an attacker does not have free reign of the system they have to find a way to escalate privileges. And it does not matter if it’s a forensics boot or not backtrack still is based off of an outdated platform.

  • #51023
     dynamik 
    Participant

    Why is everyone saying BackTrack is outdated? It’s based off an LTS version of Ubuntu and is still completely supported: https://wiki.ubuntu.com/LTS

  • #51024
     rattis 
    Participant

    You’re making a fatal mistake too. Even live cds have flaws. I would suggest finding my Derbycon talk, to see just a few of them.

  • #51025
     Hudson185 
    Participant

    Yes live cds have flaws and running as root does have it’s drawbacks but because live cd sessions are non-persistent that would require an attacker to re-exploit machine multiple times. These assumptions are reasonable for a power user to follow 99% chance of not getting hacked.

  • #51026
     dynamik 
    Participant

    @hudson185 wrote:

    Yes live cds have flaws and running as root does have it’s drawbacks but because live cd sessions are non-persistent that would require an attacker to re-exploit machine multiple times. These assumptions are reasonable for a power user to follow 99% chance of not getting hacked.

    That’s assuming you’re in a diskless system or that the disks are fully encrypted. If neither of those are the case, an attacker could dump hashes, create new autorun entries, etc. There are plenty of possibilities for long-term/persistant attacks.

    +1 for Chris’ talk. The default root/toor usage statistic alone was pretty awesome 8)

  • #51027
     Hudson185 
    Participant

    I assume that the sd cards are read-only and that no hard disk is not mounted. The files on the read only sd card are encrypted with truecrypt and the password for truecrypt is on a Yubikey to decrypt. The passwords are in Keepass a password manager and require keyfile on a separate read only sd card. Also I assume the power user is smart enough to change the default root password and run no-script on firefox.

  • #51028
     rattis 
    Participant

    @hudson185 wrote:

    I assume that the sd cards are read-only and that no hard disk is not mounted. The files on the read only sd card are encrypted with truecrypt and the password for truecrypt is on a Yubikey to decrypt. The passwords are in Keepass a password manager and require keyfile on a separate read only sd card. Also I assume the power user is smart enough to change the default root password and run no-script on firefox.

    Read only or not, it’s still accessible. I don’t need to write to things, to have the ablitly to start copying your data.

    however as root, the command mount -o rw is a thing as well.

    Keypass has stuff in memory, not hard to do a memory dump as root.

    As for the power user… At DerbyCON, lots of clue full people there, a network scan turned up over 100 backtrack boxes with default login creds of root /toor.

    Like I hinted before, if you want to be serious about it. Load TAILS.

  • #51029
     Hudson185 
    Participant

    TAILS is for anonimity not security Tor’s security sucks (http://nspill.blogspot.com/2010/04/tor-exit-node-sslstrip.html) but it’s anonymity is good. Using backtrack 5 R3 with vpn is much more secure but it’s not anonymous. Also the chances of having a attacker that is dedicated is really low. Compared to Windows and Mac and Ubuntu your much more secure.

  • #51030
     tturner 
    Participant

    @hudson185 wrote:

    Using backtrack 5 R3 with vpn is much more secure …

    More secure than what? a soggy napkin? If you want secure, run a stripped down gentoo or *BSD box with only the bare necessities, no compiler, services disabled, FDE, etc. BT5 not only runs as root (yes you can change but, I run a BT5 VM with a locked down user and su when I need root but it’s still very insecure) but has so much cruft installed you will have an extremely hard time making it secure. That’s not what it’s designed for. Choose the right tools for the job. Hell I’m pretty sure my Windows 7 box the way I have it locked down is more secure than most BT5 installs.

  • #51031
     jinwald12 
    Participant

    @ajohnson wrote:

    Why is everyone saying BackTrack is outdated? It’s based off an LTS version of Ubuntu and is still completely supported: https://wiki.ubuntu.com/LTS

    it’s based off of 10.04 (lucid) which while in theory is still LTS but does not get nearly as much attention as other releases and BT uses different repos then normal lucid for most of it’s programs which have out dated versions (with the exception of firefox and a few others) and they slapped on a kernel version that is no where near what lucid was designed to work with.

  • #51032
     dynamik 
    Participant

    @jinwald12 wrote:

    it’s based off of 10.04 (lucid) which while in theory is still LTS but does not get nearly as much attention as other releases and BT uses different repos then normal lucid for most of it’s programs which have out dated versions (with the exception of firefox and a few others) and they slapped on a kernel version that is no where near what lucid was designed to work with.

    I guess that depends on your definition of “outdated” then. A 10.x release is obviously not going to have all the bells and whistles as a 12.x release, but it’s not unsupported or neglected either.

    Back to the main topic, BackTrack really shouldn’t be used as a “secure” distro since that’s not its purpose. As mentioned by others, it has numerous changes that make it less secure right out of the gate (default password of toor, root SSH login enabled, etc.) Are you really going to change your password and disable root SSH logins every time you launch the live CD? Why would you even want to deal with having to harden your system every time you boot it? Spend $8 on another thumb drive and use a distro that’s designed for security.

  • #51033
     rattis 
    Participant

    @hudson185 wrote:

    TAILS is for anonimity not security Tor’s security sucks (http://nspill.blogspot.com/2010/04/tor-exit-node-sslstrip.html) but it’s anonymity is good. Using backtrack 5 R3 with vpn is much more secure but it’s not anonymous.

    T.A.I.L.S is about more than anonymity. T.O.R. is just one of the things it uses, it’s just the one that gets the most press. It has other features built in, so if you’re running it, your protected. It boots more secure than BT5r3 does. Firewall on by default. Blocking inbound connections. You also don’t have to use TOR on it if you don’t want to.

  • #51034
     Hudson185 
    Participant

    Tried out T.A.I.L.S it’s cool and user friendly but it lacks wine and truecrypt. So I still would say backtrack 5 r3 is a better choice if your only going to use a live cd.

  • #51035
     Hudson185 
    Participant

    Also posted this on hak5.org encouraging people to come to ethicalhacker.net

    157 views so far…
    http://forums.hak5.org/index.php?/topic/28192-12-steps-to-a-malware-free-existence-using-a-backtrack-5-r3-live-cd/

  • #51036
     rattis 
    Participant

    You can install other packages as you need them. Sine T.A.I.L.S. is already dvd sized, it would be worth a try to contact the dev to install those in the next version of the dvd.

  • #51037
     Hudson185 
    Participant

    @chrisj wrote:

    You can install other packages as you need them. Sine T.A.I.L.S. is already dvd sized, it would be worth a try to contact the dev to install those in the next version of the dvd.

    That’s defiantly a good idea. It would be great to see wine and truecrypt on a more user friendly OS like  T.A.I.L.S.

  • #51038
     Hudson185 
    Participant

    I wrote the developers I doubt we will see Wine on T.A.I.L.S.
    Aslo the developers do not like truecrypt

    “… Tails developers do not recommend TrueCrypt. We include TrueCrypt only to allow users of the (old and now unsupported) Incognito live system to access the data on previously created media. In the future, we would like to provide proper alternatives and stop distributing TrueCrypt. This means that you should not create new TrueCrypt media if you intend to stay with Tails in the long run.”
    I would say that backtrack 5 R3 is still the best choice at the moment

    Please add Wine and TrueCrypt
    Inbox
    x
    Hudson Seiler

    Dec 25 (1 day ago)

    to tails-dev
    Hello recently I wrote an article about avoiding banking trojans and bots on http://www.ethicalhacker.net using Backtrack 5 r3 live cd. I thought that Backtrack 5 r3 was okay for the power user, but not the common user. Then I was told about Tails my only complaint with it is the lack of Wine and TrueCrypt. It would be awsome if you could add Wine and TrueCrypt to the live cd.

    article
    http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,9571.0/

    sincerely,
    Hudson Seiler

    Reply

    5:27 PM (4 hours ago)

    to Tails, me
    > Truecrypt is very useful indeed, but it can be installed on Tails,
    > simply download the tar.gz package from truecrypt.org and execute the
    > script, it will install it.
    >
    > I also recommend to the development team that truecrypt should be
    > included by default and come with the DVD already.

    TrueCrypt is already included in Tails, please refer to the doc:

    https://tails.boum.org/doc/encryption_and_privacy/truecrypt/.

    Regarding Wine, Tails is not meant to be a general purpose operating
    system but a selection of tools designed to answer some particular use
    cases, see our design doc:

    https://tails.boum.org/contribute/design/

    Apart from the fact that I really doubt we want to encourage people
    running probably non-free software through Wine. How would Wine help us
    fulfil better our goals?

  • #51039
     encryptedmind 
    Participant

    For most of the layusers getting to work on complicated software is not really their thing. A simple truecrypt based encryption works well.

    Couple that with a top ranking AV product and a top ranking firewall (free or fee) should do the trick.

    2 step verification is recommended. Local downloaded mails should be encrypted as well.

    The think I would do optimally is to create a virtual hard disk in vmware and use that sandboxed environment for much of the daily tasks. Keep the fully installed and configured virtual machine image as a backup in an external HD for retrieval.

    Use a sandboxed browser like chrome in a sandboxed environment like sandboxie within a virtual machine. Use shared folder only when really required. Couple more security with deep freeze for total recall. Optimally use a vpn / tor.

    Take system file hashed once in a while to make sure of the system integrity.

    The rest is just net common sense, dont surf dubious link, download software from suspicious sources. Scan files before installation.

    THE MOST IMPORTANT RULE OF ALL — TAKE REGULAR BACKUPS OF EVERYTHING YOU THINK IS USEFUL, EVERYDAY/EVERYOTHER DAY.

    The above rule has saved my a*** many many a times.

    Computers and computer software are not perfect because we humans are not perfect.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?