November 05, 2006
Well, it's official now. Mal-ware is the most secure thing on many computers and Internet sites today. I was reading a list of big security mistakes when a very sophisticated web robot started going around. One that has many features to combat any attempt to compromise it. I will use that robot (bot) to highlight some of the security actions I've talked about before. The three lists cover places that private information has been lost because the data wasn't encrypted, sites that can be used for Cross-Site-Scripting, and banks that don't encrypt logins. The bot, "Spamthru", is a very complicated money making spambot that promotes a stock pump-and-dump scheme. This trojan was found by the famous malware researcher Joe Stewart of LURHQ (now owned by SECUREWORKS). It is based on spyware dating back to March but a new version was found in October. It is much more complex than previous spam-bots like Sober, Bobax, or Bagle. It's complexity rivals some commercial software. I guess you could call spam a business endeavor which would give the writers motivation to produce a quality product. While there have been programs that automate sending spam before, spamthru uses some techniques that sets it apart from it's predecessors. Some of the techniques listed have been used before, but a couple are brand new ideas. What it does:
- opens a back door for communications to the bot network
- protects from denial of service by using P2P and a server network
- avoids detection of static text by encrypting the spam
- avoids detection of static code by regularly downloading program updates
- avoids detection of static images by randomly altering GIF files
- avoids detection of static hash values by adding random phrases
- avoids AV updates with HOST file entries
- avoids AV scans by installing it's own AV in a rootkit fashion.
- defeats partial fixes by using multiple registry keys
- keeps others off their network with a call/response authentication
- guarantees efficiency by removing other malware
- WATCH FOR BACKDOORS by checking open ports with FPORT, TCPVIEW, or NETSTAT
- VERIFY THE REGISTRY RUN KEYS with AUTORUN, MSCONFIG, or CCLEANER
- VERIFY THE HOST FILE
- LOCK THE HOST FILE by denying write permissions or use Spybot Search & destroy
- UPDATE YOUR AV only when the above steps are taken
- USE AN IDS on an enterprise network
- WATCH AV REPORTS for an untimely shutdown
SECSIG meets in the Science building 203 at 11:15 am.
By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.
The RSS feed address is http://ocsecsig.blogspot.com/atom.xml
Dave Keays, SIG leader