[ Jump to bottom ]




index -- intro -- rules1 -- principles1 -- tweaks -- hints1 -- articles1 -- software1 -- security -- links1 -- config1 -- glossary -- projects -- diverse -- events16 -- about -- sitemap



Security 2


Google
Web tadej-ivan.50webs.com
sponsored links


Updated: 06.07.2017


View My Stats

The contents of this site's pages are protected with a Copyscape.  Copyscape Website Content Copyright Protection
Copyscape site's mission is to offer a website plagiarism search and content copyright protection.



Filler content: this particular section will be created ASAP, hopefully in the next update ... Filler content: this particular section will be created ASAP, hopefully in the next update ... Filler content: this particular section will be created ASAP, hopefully in the next update ...... Filler content: on this page I will occasionally post various site and other related news ... Filler content: this particular section will be created ASAP, hopefully in the next update ... Filler content: this particular section will be created ASAP, hopefully in the next update ...... Filler content: on this page I will occasionally post various site and other related news ... Filler content: this particular section will be created ASAP, hopefully in the next update ... Filler content: this particular section will be created ASAP, hopefully in the next update ... Filler content: this particular section will be created ASAP, hopefully in the next update ... Filler content: this particular section will be created ASAP, hopefully in the next update ...




NAVIGATE:  previous --> security1.html


ABOUT INFECTIONS AND CLEANING 1


Well, I must confess that I was in fact "infected" with a Bagle.AF worm back then (with anti-virus programs installed and running, but with its on-access protection/monitoring disabled), and it was certainly all because of me and my ignorance and not because of the lack of knowledge. It is that I often examine viruses/trojans for export functions, and which libs they call etc. So this time, I right-clicked on one of the files containing the trojan-horse (or worm), I recently got by e-mail as usual (before moving it to my "collection of nasties" in the encrypted volume), however, this time I was to quick clicking it, and so I mistakenly chose "Open" instead of "View Dependancies" (to send it to Dependancy Walker), or "SendTo" BinText, to send it to the Foundstone's BinText application, i.e. to see the file's strings/contents. I've mentioned this program many times already (usually together with Enabler from Securitysoftware), but as far as I remember not yet in this thread that's dedicated to mentioning/listing such awesome programs. As mentioned, I am talking about Foundstone's file/binary viewer called that I use as an addition to "Lister" that's built-in into Total Commander file-manager. The Lister plugin is available also as a standalone win32-application, while for other cool related tools see the page "Addons". Here's a link to the screenshot of its interface for better a imagination: http://img199.imageshack.us/img199/1986/bintextwi4.gif. The best feature of this program (i.e. the BinText one) is that it filters some paritcular characters so that there is no need to search through "mess" when viewing the files (this is fully configurable), while additionally it separately displays "ANSI strings" as a green "A", "Unicode strings" (or double byte ANSI) as a red "U", and "Resource strings" that have a blue "R". Anyway, luckily I was running Sysinternals' Filemon and Regmon applications at that particular time, so I later simply reversed all the changes made by that worm/trojan-horse without any problem. I simply deleted the created run registry key, and deleted SYSXP.exe file that was created and executed as process after the "infection" (and noticeably slowing the system), and few other related files. And even if I wouldn't ran those programs - there is a common pattern of few things that almost every malicious software does. In most cases, the file is executed and therefore visible running as a process, and second this process usually creates a registry entry under the HKLM or HKCU branches, one of the Run subkey.

However, it is true that there are also others, which are even more dangerous (as I've heard), for example some of them are preventing, i.e. trying to prevent user to access virus/spyware cleaning pages and similar, and some shutting down anti-spyware reALTed software, when they are executed. And also, I've read of one even more dangerous and scary thing. Some viruses are supposed to change some pointers locations in BIOS (or CMOS, I really forgot), that after infection, they refer to other registers. That could be pretty bad, and I was actually afraid, that this happened to me (see below). One more thing about this Bagle.AF worm "infection". Somehow at that time, my C partition was screwed (containing XP's pagefile and Windows 98/SE OS). The cause was - there was suddenly no File System on C volume (partition), just "raw" disk. I clearly saw data was still untouched. I was already thinking of finally low-level formatting HD (as I plan for a long time now, because of other problems, like two bad-sectors, that were not solved by Windows FORMAT), but again - luckily, I didn't panic, and I first tested the drive with the HD manufacturer's PowerMax utility (for my Maxtor ATA-IDE hard-drive), and huh, it fixed error. and because of PowerMax's warning displayed before fixing it, I was in doubt - maybe if I try, it will screw also all other partitions, but all the errors were luckily fixed by PowerMax utility, although I still don't know for sure what was the actual reason for C partition loosing the File System - the worm, or maybe something else.

Another "virus/worm/trojan story" was the one when I was once cleaning my friend's computer, and discovered that he has a Dust.exe virus which integrated into the shell (it attached itself to Explorer), meaning that the virus has put a very obvious "/dust.exe" parameter into the "HCLM\...\Run" registry key like this: Explorer.exe /dust.exe) in form of three instances, i.e. three separate files in C:\ root, C:\Windows\ and C:\Windows\System32\, 300 MB in lenght each he also has on his machine. I even noticed it with Autoruns from Sysinternals before "we" actually installed an antivirus program. Well, finally AVG permanently cleaned it. But during dealing with that virus, I discovered with TCPView another nasty. It was a running process with image-name bot.exe; a worm which was actually worst than a virus (see above), i.e. the thing was that if you terminated it, it was set to *somehow* restart itself, if you attempted to delete the file when process was exited (i.e. not running anymore; and I tried very "strong" methods, however, I forgot to use the "Suspend" method), and you got that Windows warning: "you can't delete file, it is used by another process..." (or something like that), so I just tried to delete the executable file of a process just before it restarted itself, and the third time I succeded. This worm/trojan (or whatever) was also using so many TCP endpoints (i.e. connecting to various remote-servers), for instance certainly much much more than normal port scanning, that I couldn't even read the IPs (and ports) to find out where it is trying to connect to. Yeah, I didn't remember at that time that I could use a command prompt, and do only one current "shot", or simply log/stream the output into some file. Anyway, I got a lot of experiences by this whole procedure.



ABOUT INFECTIONS AND CLEANING 2


Finally, the latest such story of cleaning after the infection was the one with Haxdoor trojan; especially be aware of described interesting techniques that I used to get rid of it with added screenshots in the first thread linked in the below paragraph. I am not sure whether it was a worm or trojan (although "Haxdoor" supposedly is a trojan) or simply a very nasty virus that worked "through" installing the rootkit. Similarly to "ABOUT ANTI-VIRUS PROGRAMS 1" section on "software1.html" page I am posting here below a related part of my post from So I got rootkitted recently... thread: Ars Technica 12 x 12 pixels icon http://episteme.arstechnica.com/eve/forums/a/tpc/f/99609816/m/131008727931 on "Ars OpenForum", and I've already written it in a way so that it would be clearly visible that it's a forum-post (inside the "<blockquote>" element), but similarly to that section on page "software1.html" I rather decided to format it as a normal article. And as an FYI, I alredy mentioned this particular infection on page "events10.html" in the "events-entry" titled "14.01.2007 (part 1)", on page "events9.html" in the "events-entry" titled "26.09.2006 (part 1)", and first time ever on page "events8.html" in the "events-entry" titled "23.08.2006 (part 1)".

Anyway, if you want to see the /Fixed: HELP: My computer was probably infected and now I am afraid to rebootArs Technica 12 x 12 pixels icon http://episteme.arstechnica.com/eve/forums/a/tpc/f/99609816/m/464002950831 thread that I've opened on "Ars OpenForum" (or alternatively the A sort of a report on an infection that I've managed to solve: http://forum.avast.com/index.php?topic=22960.0 one on "Avast" forum) in which I described the solution to similar rootkit/virus/worm/trojan infection (or simply a virus that works "through" the rootkit) and varous interesting techniques that I used in great details.

So here's the whole story (i.e. many posts merged to one to tell all the details): it all started when I got a spam e-mail message containing obvious virus/worm "z3566043.zip" attachment. But the problem is that I like to "examine" that sorts of things, and so I un-zipped the "z3566043.exe" executable contained in it, and first send it to a binary viewer, then executed it as a "limited user" (that was the original mistake) etc.; of course, with Filemon and Regmon running all the time so that I could revert any changes made. And then strange things started occurring (not in the behaviour of a computer but otherwise), for instance, I saw this strange process in Process Explorer (with no command-line, no info whatsever, just "blank" line in the process pane), while the strangest thing was that I couldn't delete the executable (i.e. the "z3566043.exe" file), nor rename/move it without any problem, while when I tried editing it with hex-editor I got that "Access is denied ..." warning. Further, when I was looking for any handles with that string in name, I found few references to this strange "ydsvgd.dll" file that didn't even exist (obviously it was hidden) on my hard-disk under "D:\WINDOWS\system32\ydsvgd.dll" directory (here're the "link to a screenshot of PE's "DLL/Handle" search window": http://img162.imageshack.us/img162/745/procexpydsvgddllzi1.gif, and the "link to a screenshot of Dependancy Walker's main window": http://img226.imageshack.us/img226/848/dependsydsvgddllbb7.gif) as it was shown in Process Explorer!!

If I invoked the "DLL Properties" in PE I got this: Image: , Memory: "ydsvgd.dll.txt": http://tadej-ivan.50webs.com/remote/ydsvgd.dll.txt (it's a 15 KB in-size file that I've uploaded to my FTP server), then in Autoruns I found this entry:


"ydsvgd ........ File not found: ........ D:\WINDOWS\system32\ycsvgc.sys"

While when I ran HijackThis it had found the below entry that was apparently added by it:

"O20 - Winlogon Notify: ydsvgd - D:\WINDOWS\SYSTEM32\ydsvgd.dll"

Especially confusing to me was why if the "ydsvgd.dll" file was locked I couldn't delete the "z3566043.exe" executable too (even after I successfully renamed it to "oi.x", but still I got "Access is denied ..."), which didn't seem to have any "references" to it in any running process!! And finally, I also discovered that the program added itself to XP SP2 firewall's exclusion rules as "explorer". Here's the "link to a screenshot of XP's firewall exclusion": http://img450.imageshack.us/img450/6879/firewallz3566043exekk9.gif.






MY PREVENTION SPEECH FOR CASTLECOPS


And finally, I also copied my so-called "PREVENTION SPEECH" (on how to prevent future re-infections etc.) that I use as a 1st Responder trainee on CastleCops forum: CastleCops 12 x 12 pixels icon http://castlecops.com, particularly I'm talking about the CastleCops 12 x 12 pixels icon http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html part, while here are my two user-profile pages: CastleCops 12 x 12 pixels icon http://castlecops.com/userinfo-satyr.htmlCastleCops 12 x 12 pixels icon http://castlecops.com/modules.php?name=Forums&file=profile&mode=viewprofile&u=31896. But for the starters just in a few concise sentences, which summarize the most important rules below: keep Windows and Internet Explorer current with the latest critical security updates from Microsoft update page. This will patch many security holes through which attackers can gain access to your computer, prevent spyware-related problems, problems related to other potentially unwanted software (such as dialers, browser hijackers and adware) with SpywareBlaster, which includes "Internet Explorer", "Mozilla/Firefox" and "Restricted Sites" protection. You can get SpywareBlaster here: http://www.javacoolsoftware.com/spywareblaster.html, eliminate dangerous cookies, prevent dangerous system changes and homepage hijacking, and increase your general browser security by using the two free programs. You can get SpywareGuard here: http://www.javacoolsoftware.com/spywareguard.html and IE-SPYAD here: https://netfiles.uiuc.edu/ehowes/www/resource.htm, and finally, often delete you browsing traces stored by Internet Explorer. To do this, go to Tools in Internet Explorer's main window menu (or open Control Panel) and in either one choose/click Internet Options applet, go to the General tab (it opens there by default) and click on "Delete Cookies...", "Delete Files..." and "Delete History..." buttons. Here you will find a few linked websites and below also no less than 10 crucial points with SECURITY-RELATED RULES, TIPS AND HINTS that you should follow to lower the chances of future malware infections, and to prevent re-infections in general. If you want to, also read the linked articles below.

The 1ST Responder's prevention speech

Congratulations [ user_name ], your HijackThis log shows that your system is indeed clean ...

However, now that your system is clean, you need to actively protect (i.e. to reduce the chances of future malware infections) yourself against any re-infections in the future. To reduce the chances of future malware infections, and to prevent any re-infections, you need to actively protect yourself against it, so here below are a few very useful general security/privacy related suggestions, tips and hints (note that some might be duplicated since I yet need to clean this section up):

As first, you should always SET A NEW RESTORE POINT to prevent any future reinfections from the old restore points after your computer was cleaned out. Any virus, worm, trojan horse or spyware that you've picked in past could have been stored in System Restore and is just waiting to re-infect you. Since the files and directories saved by System Restore are protected, your file-manager doesn't have an access/permission and therefore cannot delete them. Setting a new restore point should be done to prevent any future reinfection from the old restore point(s), and to enable your computer to be able to "roll-back" in case if of a problem in future. Beside the steps below, you can also check the tutorial for Windows XP operating system: http://www.bleepingcomputer.com/forums/index.php?showtutorial=56 on the Bleepingcomputer website.

To set/create a new system restore point:

- Go to Start -- Programs -- Accessories -- System Tools and click "System Restore".
- Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
- Then go to Start -- Run and type: Cleanmgr
- Click "OK".
- Click the "More Options" Tab.
- Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

I highly recommend you to read these security-related articles listed in this paragraph; as first the Ralph Caddell's: Find and Eliminate Spyware article, to learn more about spyware and how to eliminate it, next read the Pieter Arntz's: Help Preventing Spyware article for detailed instructions on how to install and use the above preventive tools, then an article written by Tony Klein and titled How did I get infected in the first place?, a Configure Windows XP: Create Your Accounts article on Microsoft site which deals with how to learn on how to setup a user account (instead of an administrator one) to prevent malware installation and other stuff, further the Safer Settings for Internet Explorer for SP1 & SP2 article written by Larry Stevenson and hosted here at CastleCops site, then the How to Protect Yourself page on Aumha website, the TomCat's computer-safety overview article Secure Your Home Computer, then the Simple and easy ways to keep your computer safe on page under the "tutorials" section on the Bleepingcomputer site, and finally also check out the Rogue/Suspect Anti-Spyware Products listing of rogue/suspect programs vs. good security programs, nicely sorted in a nice table.


A few useful suggestions, tips and hints:

1. As you might already know (it's also stressed in many articles linked above), it is very important to keep Windows and Internet Explorer with current security updates from Microsoft update page (at least with the latest "critical" ones); this will patch many new security holes through which attackers can gain access to your computer. Also, consider upgrading to the Service Pack 2 for Windows XP (SP2 in short), which implements many new security features (such as "popup blocker", firewall's "outbound connection attempt warning/prompt" etc.) and additionally enhance and fixes any bugs/vulnerabilities in old ones.

2. Then, it is also crucial to frequently delete you browsing traces stored by your web-browser. To do this in/through Internet Explorer, first go to Tools in its main menu (or open Control Panel), and in either one choose/double-click the "Internet Options" applet, go to General tab (it opens there by default) and click on "Delete Cookies...", "Delete Files..." and "Delete History..." buttons. It's best that Internet Explorer process is not running at the time of performing these steps. In Firefox, first go to Tools in its main menu, and choose/click the "Clear Private Data..." menu-item.

3. Further, make sure that your firwall program is functioning properly. To do this, click on Start Menu, and choose the Run item, then click OK and type "services.msc" (with or without quotes, it doesn't matter) in an input-filed and click OK again. When you will be Services window, scroll down through the list of services and check if "Windows Firewall/Internet Connection Sharing (ICS)" service is set to Automatic startup-type and running (through "Properties" menu-item); otherwise set it like that. If you have a fully patched operating system, then Windows XP SP2's in-built firewall is enough, however, if you want/need more protection (for instance outbound traffic filtering), then you can always download and install a third-party firewall software.

4. Make sure that your anti-virus program is functioning properly. To do this, first make sure that your subscription is not out of date, of course, only if you are not using a free anti-virus software. This is because in some anti-virus software' cases, if your product subscription is out of date, then the anti-virus program can no longer download and install new/updated virus definitions, thus it can't detect the latest viruses, worms and trojan horses. Further, you need to configure your anti-virus program to check for new/updated virus definitions frequently (at least once a week or something like that), but remember that it's best to do it as often as possible. Then also check if your ake sure your anti-virus program is configured to perform a scheduled scan of a computer's hard-disk (which usually also includes a memory scanning)

5. In general, do not rely on an anti-virus program's real-time scanning engine alone, but make sure that you are using some kind of anti-adware and anti-spyware software, which performs a real-time scanning too. One program that I can recommend is SpywareGuard, which is also developed by JavaCoolSoftware (same as SpywareBlaster below): http://www.javacoolsoftware.com/spywareguard.html, and also see this tutorial in a thread on Bleepingcomputer forum: http://www.bleepingcomputer.com/forums/index.php?showtutorial=50.

6. Make sure to prevent spyware and other potentially unwanted software-related problems (dialers, hijackers, adware and spyware) with another application from JavaCoolSoftware website called SpywareBlaster program: http://www.javacoolsoftware.com/spywareblaster.html. SpywareBlaster includes "Internet Explorer", "Mozilla/Firefox" and "Restricted Sites" protection. Same as in the paragraph above, see this tutorial in a Bleepingcomputer forum's thread: http://www.bleepingcomputer.com/forums/index.php?showtutorial=49. Another similar program which helps to eliminate dangerous cookies, prevent dangerous system changes and home-page hijacking, and increase your general browser security is an IE-SPYAD program: https://netfiles.uiuc.edu/ehowes/www/resource.htm, and again same as above, also see this tutorial on Bleepingcomputer forum: http://www.bleepingcomputer.com/forums/index.php?showtutorial=53

7. If you receive an unsolicited e-mail message, do not open it, or yet better, delete the message right away. An unsolicited message like for instance an e-mail from a friend that you were not expecting, or one with a strange/unusual subject etc., but rather emediately contact your fiend and ask them if he/she has actually sent the message. Be sure to not even "preview" the e-mail message in question, since in case of some e-mail clients, it's enough to only highlight that particular e-mail message to get infected. If your e-mail client is configured this way, turn off the automatic-preview or even turn off the preview feature completely. Also consider using an anti-spam filtering program; I use and recommend the K9 program: http://www.keir.net/k9.html (here is also a link to a file that I've uploaded to CastleCops website: http://castlecops.com/downloads-file-497-details-K9%20version%201.2.8.0.html) from Keirnet software.

8. It is clever to consider using one of many content-filtering programs or proxies (local or remote ones); programs like for instance Proxomitron: http://castlecops.com/downloads-file-270.html, which is a local/remote proxy and filtering application. Then there is DNSKong: http://www.pyrenean.com/?page_value=-1 from Pyrenean website (yet again, a link to a file at CastleCops: http://castlecops.com/downloads-file-494-details-DNSKong.html), a local DNS server running on your own machine, which uses customized filter rules to substitute the IP address of your own machine for computer names you desire to filter. DNSKong is system-wide and basically works for any program, like e-mail clients, web-browsers, as well as for any other programs that access the Internet. And finally the eDexter program: http://www.pyrenean.com/?page_value=-2 from the same website/author as DNSKong above (once again, a link to a file at the CastleCops: http://castlecops.com/downloads-file-498-details-eDexter.html), which supplements Internet filtering by substituting local images for filtered images in order to prevent browser stalls and other annoyances. You can use eDexter's internal transparent image or even use your own images.

9. I urge anyone with a dial-up connection to always set you computer's modem settings to "Never dial a connection", but especially to "Show terminal window" before dialing for the particular connection/account you are currently using. This way, there is no chance for malicious "dialers" programs to do any harm. Here are the two links to screenshots of windows with these two settings stored at CastleCops (I used the graphics in one of my posts): http://castlecops.com/modules.php?name=Forums&file=download&id=5725, http://castlecops.com/modules.php?name=Forums&file=download&id=5726, and the links to two screenshots hosted on Imageshack: http://img259.imageshack.us/img259/5233/terminalwindow0gb.gif, http://img259.imageshack.us/img259/8858/connection2qc.gif. Optionally also read the related "Security and dial-up" article: http://wiki.castlecops.com/Security_and_dial-up that I wrote form CastleCopsWiki.

10. Finally, it is also clever to consider lowering the safety level for Internet Explorer's "active content"; although these steps described below are meant only for more or less experienced users. To modify the safety level for active content, first go to "Tools" in Internet Explorer's menu (or alternatively open the Control Panel), and in either one choose/click "Internet Options" and go to the Security" tab. Modify the safety level for active content. To do this, go to Tools in Internet Explorer menu. First short explanation of the available pre-set safety levels:


- High (the most secure one) ... it excludes the content that could damage your computer

- Medium (quite secure) ...it warns you before running potentially dangerous content

- Medium-Low (same as Medium) ... without prompting before running potentially dangerous content

- Low (the less secure one) ... minimal restrictions and warnings, most of the content is downloaded and/or run without prompts

- Custom Level (for experienced users) ... you choose all the security settings by yourself

Then just select one of the available zones and see if the slider for four safety levels is visible. If you don't see the slider nor the "Custom Level..." button, click first on the "Default Level" button, apply the changes, and then "Custom Level..." button will appear. After "Custom Level..." button will appear you can customize the detailed settings, although this is meant only for experienced users.

a. Configure Internet Explorer so that it does not run Active scripts automatically: Choose the Internet Web content zone (world icon), click "Custom Level..." button, go to the Scripting section, and choose the Disable check-box under "Active scripting" and "Scripting of Java applets". Click OK to apply the changes.

b. Configure Internet Explorer so that it does not run Java programs automatically: Choose the Internet Web content zone, click "Custom Level..." button and click "Disable Java" under Permissions, Click OK to apply the changes.

c. Configure Internet Explorer to not automatically use items that show active content (animations, marquees): Choose the Internet Web content zone, click "Custom Level..." button and click Disable under Download signed ActiveX controls, Download unsigned ActiveX controls, Initialize and script ActiveX controls not marked as safe, Run ActiveX controls and plugins, and Script ActiveX controls marked safe for scripting. Click OK to apply the changes.

When in the Security tab, you need to just select one of the available zones, and see if the slider for four safety levels is visible. If you don't see the slider nor the "Custom Level..." button, click on the "Default Level" button, apply the changes, and then the slider and the "Custom Level..." button will appear. After that, you can choose one of the available pre-set safety levels (by moving the slider) or click on now visible "Custom Level..." button so that you can customize the detailed settings. In the Settings box, go to the Scripting section, and configure Internet Explorer so that it does not run Active scripts automatically (disable the check-box under "Active scripting" and "Scripting of Java applets"), does not run Java programs automatically (click "Disable Java" under "Permissions"), and does not automatically use items that show active content such as animations and marquees (disable "Download unsigned ActiveX controls", "Initialize and script ActiveX controls not marked as safe", "Run ActiveX controls and plugins" and "Script ActiveX controls marked safe for scripting"), while optionally, also check the Privacy tab and configure the additional privacy settings for the Internet zone; of course, if you are confident enough in yourself and you computing skills. Finally click on the OK button to close all pop-up windows until you return to Internet Explorer or Control Panel. Optionally, if you are enough confident, check also the Privacy tab and configure privacy settings for the Internet zone.

Finally click on the OK button to close all pop-up windows until you return to Internet Explorer or Control Panel. Optionally, if you are enough confident, check also the Privacy tab and configure privacy settings for the Internet zone.



NAVIGATE:  previous --> security1.html









Copyright © Tadej Persic. Some Rights Reserved.


Disclaimer: The opinions expressed on my website and in my files are mine, or belong to other individuals/entities where so specified. Each product or service is a trademark of their respective company. All the registered copyrights and trademarks (© and ™) referred in this site retain the property of their respective owners. All information is provided as opinions only. Please, also see the more complete version of it on "disclaimer.html" and "policy.html" pages.

All the pages on this website are labeled with the ICRA label.  ICRA label
The website is maintained solely by its author and is best viewed with a standards-compliant browser.








The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.