.

12 Steps to a malware free existence

<<

Hudson185

Newbie
Newbie

Posts: 12

Joined: Fri Nov 16, 2012 1:07 pm

Post Mon Nov 26, 2012 3:37 am

12 Steps to a malware free existence

Microsoft Windows has a long history of mass attacks launched at it with exploit kits such as Black Hole and usb spreading. Once the Windows machine is exploited banking bots are installed on that machine.  Zeus targeted Internet Explorer and Firefox web browsers. Zeus introduced form grabbing http://en.wikipedia.org/wiki/Form_Grabber and web-injects and ATS attacks using web-injects (http://www.trendmicro.com/cloud-content ... _fraud.pdf). Also Zeus featured vnc (like RDP full gui access to victims machine) and backconnect (allows the botmaster to use the victim’s pc as a proxy andl also to access the victim pc file system). Zeus source code for 2.0.8.9 was leaked.

SpyEye built on Zeus adding support for the web browsers Chrome, Opera.
Unlike Zeus SpyEye requires a vps or dedicated server.
SpyEye uses collector daemon and requires debian or centos server.
SpyEye added screenshots to defeat onscreen keyboards. SpyEye also added dns changer allowing the attacker to change the dns settings of infected computers. SpyEye added webfakes plugin allowed the attacker to intercept and change the page victim machine is viewing. Also DDOS module was added and credit card grabber plugin was added.
The hidden rdp plugin is by far the best of SpyEye’s plugins as it uses a hidden Remote Desktop session instead of vnc like zeus.The SpyEye hidden rdp daemon only works with debian or centos. SpyEy also has socks proxy plugin and a ftp plugin both uses the same backconect daemon.

Citadel built off Zeus source code is now the prefered bot by cyber criminals.
Citadel is a work in progress checkout http://malware.dontneedcoffee.com/2012/ ... 3.5.1.html for more info on citadel.

Why do we still use Windows it’s clearly not secure.
This failure rate is not acceptable just assume that your infected.

Okay so Mac is secure? No not really. Mac also has Zeus like clones Weyland Yutani bot.
http://krebsonsecurity.com/2011/05/weyl ... -for-bots/
Also Mac now has rats such as netwire
http://www.xylibox.com/2012/07/netwire- ... m-rat.html
and Incognito
http://krebsonsecurity.com/2011/05/some ... eus-leaks/

Okay Linux is secure? Currently linux only concerns are trojans such as Netwire and java trojans.


How can we bank online safely? The answer is using a linux live cd like BT5R3-GNOME-64 wine is loaded on it and read only sd cards to store your passwords and settings on.

First burn the iso and check the md5 sum.
Boot the iso and insert the sd cards in write mode download your programs to the sd creat your email account and other accounts using
a password manager such as keepass http://downloads.sourceforge.net/keepas ... -Setup.exe
once finished lock the sd cards into readonly mode.

12 Steps to a malware free existence


1. Use a wired connection. Wifi sucks
http://hakshop.myshopify.com/products/wifi-pineapple

2. Use a wired keyboard and mouse. Hacking bluetooth is closer then you might think
http://hakshop.myshopify.com/products/ubertooth-one

3. Use a VPN http://strongvpn.com/

4. Use truecrypt encrypt your files on your sd card.

5. Use a Yubikey for your truecrypt password.
http://www.yubico.com/products/yubikey- ... e/yubikey/

6. Use a second sd card for a keyfile if using keepass.

7. Use two factor authentication for email a good choice would be gmail.

8. Always use  a password generator such as keepass to create your passwords.

9. Only use your email account on the livecd never use it anywhere else.

10. Backup your sd card data and your Yubikey password.

11. Use WinMD5Free works in Wine to check md5 sums of your live cd and your programs

12. Remember that your banking computer is not a toy and only do banking on it.
Last edited by Hudson185 on Mon Nov 26, 2012 3:45 am, edited 1 time in total.
Certifications:
OSWP
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Mon Nov 26, 2012 4:17 am

Re: 12 Steps to a malware free existence

Hi Hudson,

welcome to EH-Net :)

Not wanting to pull your first post apart, but this seems to be computing for the truely paranoid. Whilst most of it is good advice, in the real world you've got zero chance of getting standard users to take this precautions; I'm an overly paranoid infosec guy and the only step I follow is checking the hash sums of downloaded files - and my machines are malware free (ignoring the malware there deliberately...).

And if you're running a 'nix OS, why run winmd5Free under wine when you've (usually) got md5sum on the commandline as standard?

Oh, and one of my primary malware-free machines? Running Windows....
<<

Hudson185

Newbie
Newbie

Posts: 12

Joined: Fri Nov 16, 2012 1:07 pm

Post Mon Nov 26, 2012 11:48 am

Re: 12 Steps to a malware free existence

Thanks for not destroying me on my first post. This was written more toward the power user crowd. I agree standard users will never do this. winmd5Free is simple to use that's why I suggested it but you make a valid point.
Last edited by Hudson185 on Mon Nov 26, 2012 1:05 pm, edited 1 time in total.
Certifications:
OSWP
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Nov 26, 2012 10:14 pm

Re: 12 Steps to a malware free existence

Don't forget to use a dedicated machine to surf pr0n  :D  I mean so I hear.

Welcome to the forums!
Certs: GCWN
(@)Dewser
<<

prats84

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 7:03 pm

Post Tue Nov 27, 2012 3:16 am

Re: 12 Steps to a malware free existence

Thanks for the post and somethings are really practical and great to implement.


I tend to believe and follow no matter what we do. The moment your are on internet you arent safe.
So I keep  avoid using windows cause it has a greater number of threats than *nix and OS X and use a VM to download stuff or to visit some random sites.
Image
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Tue Nov 27, 2012 9:49 am

Re: 12 Steps to a malware free existence

You forgot "Perform normal computing tasks as a non-privileged user and use runas or sudo when higher privileges are required"

I've found taking this step prevents a huge number of infections
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue Nov 27, 2012 10:14 am

Re: 12 Steps to a malware free existence

Andrew Waite wrote:
... this seems to be computing for the truely paranoid. Whilst most of it is good advice, in the real world you've got zero chance of getting standard users to take this precautions; I'm an overly paranoid infosec guy and the only step I follow is checking the hash sums of downloaded files - and my machines are malware free (ignoring the malware there deliberately...).



Actually, if it was truely paranoid, he would have said to use something like T.A.I.L.S.  instead of Backtrack. has a mode to look like windows, which makes it easier to use for a standard user. Encrypts everything going out. Read only Live CD or USB.

Yes I use T.A.I.L.S. in hostile environments (at the university, and at hacker cons).
OSWP, Sec+
<<

jinwald12

User avatar

Jr. Member
Jr. Member

Posts: 77

Joined: Thu Nov 05, 2009 5:42 pm

Post Tue Nov 27, 2012 5:29 pm

Re: 12 Steps to a malware free existence

he forgot to mention the tin foil hats and vpn chaining
where did all the fun go?
<<

jinwald12

User avatar

Jr. Member
Jr. Member

Posts: 77

Joined: Thu Nov 05, 2009 5:42 pm

Post Tue Nov 27, 2012 5:34 pm

Re: 12 Steps to a malware free existence

But to be honest use specific VMs are better and more cost efficient. Assuming your virtualization software is up to date its really unlikely that malware will "jump the petri dish" as it where. Also Backtrack 5 runs as root on a outdated version of ubuntu with tons of after market modifications i would not use it to do banking under most circumstances
where did all the fun go?
<<

Hudson185

Newbie
Newbie

Posts: 12

Joined: Fri Nov 16, 2012 1:07 pm

Post Tue Nov 27, 2012 7:37 pm

Re: 12 Steps to a malware free existence

BackTrack 5 maybe out dated but it has Backtrack 5 boot option BackTrack Forensics (http://www.backtrack-linux.org/wiki/ind ... nsics_Boot)
As long as you change the default root password it's okay to run as root on a live cd. Provided you power the pc down after each session that should provide more then enough protection.
Certifications:
OSWP
<<

jinwald12

User avatar

Jr. Member
Jr. Member

Posts: 77

Joined: Thu Nov 05, 2009 5:42 pm

Post Tue Nov 27, 2012 8:34 pm

Re: 12 Steps to a malware free existence

Are you crazy? It's never a good idea to run as root the hole point of sudo/levels of privilege is to allow for "security in layers" so that way if they compromise the signed in user an attacker does not have free reign of the system they have to find a way to escalate privileges. And it does not matter if it's a forensics boot or not backtrack still is based off of an outdated platform.
where did all the fun go?
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Nov 27, 2012 10:19 pm

Re: 12 Steps to a malware free existence

Why is everyone saying BackTrack is outdated? It's based off an LTS version of Ubuntu and is still completely supported: https://wiki.ubuntu.com/LTS
The day you stop learning is the day you start becoming obsolete.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue Nov 27, 2012 11:09 pm

Re: 12 Steps to a malware free existence

You're making a fatal mistake too. Even live cds have flaws. I would suggest finding my Derbycon talk, to see just a few of them.
OSWP, Sec+
<<

Hudson185

Newbie
Newbie

Posts: 12

Joined: Fri Nov 16, 2012 1:07 pm

Post Tue Nov 27, 2012 11:33 pm

Re: 12 Steps to a malware free existence

Yes live cds have flaws and running as root does have it's drawbacks but because live cd sessions are non-persistent that would require an attacker to re-exploit machine multiple times. These assumptions are reasonable for a power user to follow 99% chance of not getting hacked.
Last edited by Hudson185 on Tue Nov 27, 2012 11:36 pm, edited 1 time in total.
Certifications:
OSWP
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Nov 28, 2012 8:54 am

Re: 12 Steps to a malware free existence

Hudson185 wrote:Yes live cds have flaws and running as root does have it's drawbacks but because live cd sessions are non-persistent that would require an attacker to re-exploit machine multiple times. These assumptions are reasonable for a power user to follow 99% chance of not getting hacked.


That's assuming you're in a diskless system or that the disks are fully encrypted. If neither of those are the case, an attacker could dump hashes, create new autorun entries, etc. There are plenty of possibilities for long-term/persistant attacks.

+1 for Chris' talk. The default root/toor usage statistic alone was pretty awesome 8)
The day you stop learning is the day you start becoming obsolete.
Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software