Orange County Security SIG

Well, it's official now. Mal-ware is the most secure thing on many computers and Internet sites today. I was reading a list of big security mistakes when a very sophisticated web robot started going around. One that has many features to combat any attempt to compromise it. I will use that robot (bot) to highlight some of the security actions I've talked about before. The three lists cover places that private information has been lost because the data wasn't encrypted, sites that can be used for Cross-Site-Scripting, and banks that don't encrypt logins. The bot, "Spamthru", is a very complicated money making spambot that promotes a stock pump-and-dump scheme. This trojan was found by the famous malware researcher Joe Stewart of LURHQ (now owned by SECUREWORKS). It is based on spyware dating back to March but a new version was found in October. It is much more complex than previous spam-bots like Sober, Bobax, or Bagle. It's complexity rivals some commercial software. I guess you could call spam a business endeavor which would give the writers motivation to produce a quality product. While there have been programs that automate sending spam before, spamthru uses some techniques that sets it apart from it's predecessors. Some of the techniques listed have been used before, but a couple are brand new ideas. What it does:

• opens a back door for communications to the bot network
• protects from denial of service by using P2P and a server network
• avoids detection of static text by encrypting the spam
• avoids detection of static code by regularly downloading program updates
• avoids detection of static images by randomly altering GIF files
• avoids detection of static hash values by adding random phrases
• avoids AV updates with HOST file entries
• avoids AV scans by installing it's own AV in a rootkit fashion.
• defeats partial fixes by using multiple registry keys
• keeps others off their network with a call/response authentication
• guarantees efficiency by removing other malware

How to protect yourself from it:

• WATCH FOR BACKDOORS by checking open ports with FPORT, TCPVIEW, or NETSTAT
• VERIFY THE REGISTRY RUN KEYS with AUTORUN, MSCONFIG, or CCLEANER
• VERIFY THE HOST FILE
• LOCK THE HOST FILE by denying write permissions or use Spybot Search & destroy
• UPDATE YOUR AV only when the above steps are taken
• USE AN IDS on an enterprise network
• WATCH AV REPORTS for an untimely shutdown

How to clean yourself of it: X-CLEANER removes SPAMTHRU on a desktop and both RTGuardian and G.E.M. handle enterprise networks. MISC URLS XSS hall of shame; www.nist.org/nist_plugins/content/content.php?content.61 banks that use insecure logins; www.securewebbank.com/loginssluse.html Non-Encryption hall of shame; www.nist.org/nist_plugins/content/content.php?content.54 AUTORUNS and TCPVIEW; sysinternals.com CCLEANER; ccleaner.com WINPATROL; winpatrol.com SPYBOTS&D; www.safer-networking.org/en/download/ X-CLEANER; www.xblock.com RTGuardian and GEM; facetime.com My discussion of SPAMTHRU is just an over-view based on analysis performed by others. www.secureworks.com/analysis/spamthru/ www.spywareguide.com/spydet_3023_spamthru.html www.darkreading.com/document.asp?doc_id=107951 www.eweek.com/article2/0,1895,2034680,00.asp