23_917106 bindex.qxp 12/21/06 12:09 AM Page 365
Index
Answers that work process database, 199 • Numerics • AntiHookExec 16-bit architectures, 105 benefits of using with other tools, 263–264 32-bit architectures, 105 installing, 263 64-bit architectures overview, 262 GMER working with, 289 user-friendliness of, 245 understanding, 105 using, BC8 using Autoruns with, 265–268 using Process Explorer with, 268–269 • A • using HijackThis with, 264–265 anti-malware Real Time Monitoring, instant Abrams, Lawrence (Bleeping Computer messaging with, 68 Web site owner), 349 anti-malware utilities. See also specific access utilities backdoors giving, 12–13 on DART CD, 358–359 limiting/controlling physical, 140 recommended, BC2–BC7 need to limit, 139–140 anti-spyware software, 97. See also account logon events, auditing, 124–125 specific software account management, auditing, 125 anti-trojan software, 98–99. See also AccuHash 2.0, verifying system file specific software integrity with, 243 antivirus software, 98 Acronis True Image Any Password on DART CD, 359 on DART CD, 362 using, BC14 using, BC19–BC20 Active@ Kill Disk, using, BC22–BC23 AOL Instant Messaging (AIM) network, ActiveX worm infecting, 69 blocking, 73–76 API HookCheck (SIG^2), 164 controls in Internet Explorer 7, 78 API hooking, overview, 159 danger of accepting, 65 AppInit_DLLs injection, functioning of, Ad-Aware SE Personal, using, BC2–BC3 165–166 administrative access Application log (Windows), function of, 206 to disable System Restore, 325 COPYRIGHTEDapplication MATERIAL programming interface (API) rootkits needing, 153 kernel-mode rootkits using, 156 ADS (alternate data stream), 344 user-mode rootkits using, 155 Advanced Password Generator application-based firewalls, 91. See also on DART CD, 362 software firewalls using, BC18–BC19 applications. See software Agnitum Outpost Firewall Apropos rootkits, 239, 340–341 on DART CD, 358 archiving, event logs automatically, using, BC3–BC4 208–210 AIM (AOL Instant Messaging) network, attachments, guidelines for safe, 66–68 worm infecting, 69 23_917106 bindex.qxp 12/21/06 12:09 AM Page 366
366 Rootkits For Dummies
auditing BadRKDemo rootkit, DarkSpy removing, categories of securities events available 280–282 for, 124–126 bandwidth, measuring use of, 223–224 overview, 119–120 BartPE (Bart Preinstallation Environment), resources for, 120 236–237 turning on event logging, 121–122 baseline turning on security, 122–124 using, 146–147 auditing policies value of, 146 configuring and enabling, 28 BIOS instant messaging with, 68 changing boot order in, 329–331 Aumha Web site, 348 rootkits residing in, 324 AutoComplete (Internet Explorer), BitDefender antivirus software, 238 disabling, 77 blackhat hacker, 337 automatic updates, setting up, 105–106 BlackLight (F-Secure) AutoPlay (Windows), disabling on external running with Rootkit Revealer, 246 drives/devices, 59 scanning for rootkits with, 251–253, 340 AutoRun (Windows) user-friendliness of, 245 disabling, 58–59 black-market groups, using malware, 18 working without, 60 Bleeping Computer Startup Programs Autoruns (Sysinternals) Database, 199 on DART CD, 360 Bleeping Computer Web site, 348–349 detecting persistent rootkits with, 246–247 boot order, changing in BIOS, 329–331 editing startup list with, 49–50 bootable CDs using, BC8–BC9 Linux, 316 using AntiHookExec with, 265–268 Microsoft, 235–236 AVG Anti-Spyware Free, using, BC4 non-Microsoft Windows, 236–238 bootsector viruses, scanning for, 60 browsers • B • configuring securely, 29 backdoor keyloggers, 289–290. See also using alternate, 28 keyloggers bundling, installing spyware through, backdoors 14–15 allowing access through ports, 183 business plans, creating physical security, overview, 12–13 143–144 rootkits opening, 23 Butler, Jamie (Rootkits: Subverting the backing up Windows Kernel), 177 importance of maintaining, 29 preparing recovery discs for, 147–148 recommended software for, BC14–BC16 • C • Registry, 42–43 CastleCops Security Forum, determining software available for, 304 toolbar legitimacy with, 14 software on DART CD for, 359–360 CastleCops Security Professionals, storing after, 304 349–350 with Windows Backup Utility, 44–46 CastleCops Services Lists, 199 bad sectors CastleCops StartupList, 199 preparing, 327 CCleaner, using, BC17 rootkits hiding in, 326 23_917106 bindex.qxp 12/21/06 12:09 AM Page 367
Index 367
CDs. See also Dummies Anti-Rootkit Toolkit DART. See Dummies Anti-Rootkit Toolkit (DART) data burning ISO image to, 321–322, 357 controlling flow of with packets, 199–200 Linux boot, 316 tracking suspicious flow of, 191 making computers boot from, 321 Data Sentinel, verifying system file integrity Microsoft bootable, 235–236 with, 244 non-Microsoft bootable, 236–238 databases Cermak, Mike (Tech Support Guy), 353–354 creating security settings, 131–133 chat clients, monitoring instant messaging researching process, 198 accounts with, 68 dd, creating hard drive image with, checklist for improving security, 118–119 316–317 checksums, assessing file integrity with, 240 dd for Windows, copying RAM dump with, ChrisRLG (Malware Removal Web site 313–314 owner), 351 DDoS (Distributed Denial of Service) cleaners, recommended for Registry and network of zombies used in, 18 system, BC17–BC18 object of attacks, 23 cloaked rootkits, defined, 232 defragmenting, hard drive, 53–57 computer dialers, overview, 12 activity, comparing with bandwidth Diamond CS, Port Explorer, 190–191, usage, 224 202–205, 293–300 needing new, 115 direct kernel object manipulation (DKOM), computer privileges, understanding, 153. 171–173, 341, 342 See also user accounts Direct Revenue LLC, litigation against, 309 connections, disabling network before directory service access, auditing, 125 cleaning rootkits, 319–320 Diskeeper Pro (Executive Software), 57 Content Zones (Internet Explorer), Distributed Denial of Service (DDoS) adjusting, 74–76 network of zombies used in, 18 contests, avoiding online, 67 object of attacks, 23 Coyote, Tom (Tom Coyote Security Forum DLL injection owner), 354 AppInit_DLLs, 165–166 CPU cycles, monitoring, 228–229 detecting with IceSword, 290–291 cross-diff comparison, using different detecting with Process Explorer, 291–293 rootkits-detection tools, 234 functioning of, 164 overview, 159 DLLs (dynamic link libraries) • D • kernel and user, 161–163 DarkSpy overview, 160, 162 analyzing Registry with, 279–280 rootkits targeting, 160 comprehensiveness and user-friendliness user-mode rootkits using, 155 of, 245 domain, defined, 125 on DART CD, 361 domain controller, defined, 125 detecting/removing rootkits with, 277–278 double filename extensions, viewing, 12 evaluating process activity with, 227–228 downloading overview, 276–277 guidelines for safe, 65 Registry Analyzer, 278 using scanners before, BC2 removing difficult rootkits with, 280–282 drive-by downloads, installing spyware by, using for port-to-process mapping, 190 15–16 23_917106 bindex.qxp 12/21/06 12:09 AM Page 368
368 Rootkits For Dummies
drivers, installing as rootkits, 166–168 inspecting with MonitorWare, 219–222 Dummies Anti-Rootkit Toolkit (DART) monitoring for rootkits clues, 180 anti-malware utilities and scanners with, overview, 207 358–359 types of, 206 backup and imaging software on, 359–360 Event Viewer (Windows) CD contents, 357–358 accessing, 206–207 installing CD with Microsoft Windows, evaluating inspection results in, 213–214 356–357 filtering event log data with, 214–216 password protectors and generators finding rootkits with, 126 on, 364 inspecting event logs with, 210–213 rootkit-detection-and-removal software upgrading to Event Log Explorer from, on, 361–362 217–219 system requirements for, 355–356 events system-analysis software on, 360–361 categories available for auditing, 124–126 troubleshooting, 363 filtering by type of, 214–216 dynamic link libraries. See DLLs evidence collecting, 304 collecting RAM dump to USB flash drive, • E • 312–316 Easter eggs, backdoors installed as, 13 guidelines for preserving, 310–312 EAT (Export Address Table), as avenue to hiring professional to analyze, 317–318 DLLs, 162 tracking perpetrators with, 307–308 eEye BootRoot, 343 executable files, hidden, 11–12 Elite toolbar, 339–340 Executive Software (Diskeeper Pro), 57 e-mail Export Address Table (EAT), as avenue to guidelines for safe, 66–68 DLLs, 162 rootkits facilitating spam, 23 external media, scanning for bootsector EnCase, forensic assistance from, 318 viruses, 60 Encrypting File System (EFS), safe surfing with, 64 End User License Agreements (EULAs), • F • 65, 339 false security alerts, encouraging purchase Eraser, using, BC21–BC22 of malware programs, 17 Eshelman, James A. (Aumha owner), 348 FanBot, 343–344 Ethereal, sniffing hackers with, 205 Farmer’s Boot CD (FBCD), 316 EULAlyzer, protecting from spyware, 15 file analysis services, availability of, 305 evaluating Web sites safety with, 81–82 FileAlyzer, verifying system files with, Event Log Explorer, advantages of, 217–219 240–243 event logging. See also auditing file-integrity checks, recommending, 145 overview, 119–120 Filemon (Sysinternals) turning on, 121–122 tracking forensic tool changes with, 312 event logs tracking outbound access with, 197 automatically archiving, 208–210 filename extensions, viewing, 12 changing default size, 207–208 files inspecting with Event Log Explorer, backing up with Windows Backup Utility, 217–219 44–46 inspecting with Event Viewer, 210–213 checking for legitimacy of, 257 23_917106 bindex.qxp 12/21/06 12:09 AM Page 369
Index 369
scanning before opening, 67–68 F-Secure, BlackLight tracking forensic tool changes to, 312 running with Rootkit Revealer, 246 filtering, event log data, 214–216 scanning for rootkits with, 251–253, 340 FIRE (Forensic and Incident Response user-friendliness of, 245 Environment) Bootable CD, 316 FU rootkit, 341–342 firewall logs FUTo rootkit, 175–176, 342 examining for Internet access attempts, 193–194 identifying process ID associated with • G • identified part, 195 Geeks to Go Web site, 350–351 identifying process with, 195 Genie-Soft Backup Manager Home, using, identifying processes loaded by BC15 svchost.exe with PID 984, 196–197 Gibson Research Corporation monitoring for rootkits clues, 180–181 listing ports used by trojans, 186 firewalls SpinRite, 327 on DART CD, 358 Gladiator Security Forum, 351 functioning of, 83–84 GMER hardware, 84–90 comprehensiveness and user-friendliness importance of having, 82 of, 245 importance of using, 28 on DART CD, 361 improving, 118 detecting/removing rootkits with, preventing drive-by downloads, 15–16 284–286 software, 90–93 enabling system monitoring/tracing in, understanding, 83 286–287 Windows XP, 93–95 evaluating process activity with, 227–228 firmware, understanding, 324 overview, 283 Forensic and Incident Response Registry feature, 288 Environment (FIRE) Bootable CD, 316 using in Safe mode, 287–288 Forensics Acquisition Utilities, 314 working with 64-bit architectures, 289 format and reinstall gray-market groups, using malware, 18 changing boot order in BIOS, 329–331 Greatis for Microsoft Windows XP, 331–332 Application Database, 199 overview, 327–328 UnHackMe, 245, 260–261, 361–362, BC12 preparing for, 328–329 Group Policy Objects (GPO) rootkits evading, 325–327 applying to networks, 139 running rootkit detection software importing security templates into, 138–139 after, 333 weighing option of, 305–307 forums • H • asking help from, 234 HackerDefender rootkit, 185, 338 CastleCops Security Forum, 14 hackers helping with Rootkit Revealer, 250–251 catching with sniffers, 200–201 Malware Complaints, 309 lack of intelligence of, 26 on security Web sites, 348–354 tracking, 307–308 freeware, versus shareware, 357–358. using sniffers, 200 See also specific freeware ways of using ports, 185–186 HackerWatch (McAfee, Inc.), 182 23_917106 bindex.qxp 12/21/06 12:09 AM Page 370
370 Rootkits For Dummies
hard drives function of, 158–159 choosing to reformat, 305–307 IAT, 161–162 cleaning with Windows Disk Cleanup inline, 163–164 Utility, 51–52 Interrupt Descriptor Table, 171 copying infected, 304 kernel inline, 170 creating image of infected, 315–316 overview, 157–158 defragmenting, 53–57 percentage of threats employing, 245 downloads available for SYSENTER, 170, 344 compromised, 364 System Service Descriptor Table, firmware for, 324 168–169 malware using space on, 222–223 virtual memory manager, 176 partitioning and formatting, 331–332 hooks preparing for reformatting of, 328–329 installing drivers as rootkits, 166–168 problems of junked up, 46 privileged, 166 rootkits evading reformatting of, 325–327 types of, 159 hard-drive erase and repair utilities, Host-Intrusion Prevention Software (HIPS) recommended, BC21–BC24 GMER as, 286–287 hardware monitoring for rootkits clues, 183 needing new computers, 115 HOSTS file obtaining updates for, 110–112 applying updated, 29 hardware firewalls using, 72–73 Network Address Translation (NAT) on, 87 Howes, Eric (SpywareWarrior Web site overview, 84–86 owner), 353 port blocking/port stealthing with, 87–89 Stateful Packet Inspection component of, 89–90 • I • hash values, assessing file integrity IANA (Internet Assigned Number Authority), with, 240 coordinating port assignments, 184–185 Hayes, Bert (Snort For Dummies), 182 IAT (Import Address Table), as avenue to Healan, Mike (SpywareInfo Web site DLLs, 161–162 owner), 353 IceSword Helix Bootable CD, 316 comprehensive nature of, 245 heuristics destroying rootkits with, 257–258 on scanners, 100, 244 detecting keyloggers with, 290–291 VICE using, 270 detecting rootkits changes with, 253–255 HijackThis (HJT), using AntiHookExec evaluating process activity with, 227 with, 264–265 functions of, 259–260 HIPS (Host-Intrusion Prevention Software) interpreting scan results of, 256–257 GMER as, 286–287 overview, 253 monitoring for rootkits clues, 183 using, BC9–BC10 Hogland, Greg (Rootkits: Subverting the using for port-to-process mapping, 189–190 Windows Kernel), 177 IDS (Intrusion Detection Systems) hooking importance of implementing, 29–30 direct kernel object manipulation as logs, monitoring for rootkits clues, 182 alternative to, 171–173 IDT (Interrupt Descriptor Table), EAT, 162–163 hooking, 171 23_917106 bindex.qxp 12/21/06 12:09 AM Page 371
Index 371
illegal material, rootkits hiding, 23 IM (instant messaging), guidelines for • J • safe, 68 Java, blocking, 73–76 imaging software JavaScript, blocking, 73–76 on DART CD, 359–360 Jotti, checking for file legitimacy with, 257 for infected hard drives, 304 recommended, BC14–BC16 Import Address Table (IAT), as avenue to • K • DLLs, 161–162 Karen’s Replicator infection on DART CD, 360 guidelines for preserving evidence of, using, BC15 310–312 Kaspersky Antivirus version 5.0, Rootkit options for dealing with, 303–305 Revealer interacting with, 249–250 reformatting and reinstalling “cure,” kernel DLLs, rootkits targeting, 161–163 305–307 kernel inline hooking, 170 tracking perpetrator of, 307–308 kernel patching, 169 inline hooking, 163–164, 170 kernel-mode rootkits instant messaging (IM), guidelines for reformatting and reinstalling after, 306 safe, 68 summary of, 154 Intermix Media, litigation against, 309 types of hooks used, 159 Internet Assigned Number Authority versus user-mode rootkits, 155–156 (IANA), coordinating port kernels, drivers allowing access to, 167–168 assignments, 184–185 keyloggers Internet browsers detecting with IceSword, 290–291 configuring securely, 29 detecting with Process Explorer, 291–293 using alternate, 28 overview, 289 Internet connection rootkits enabling, 23–24 danger of leaving on, 64 types of, 289–290 defragmenting with, 56 Kleiman, Dave (Forensic Network Interrupt Descriptor Table (IDT), Advisor), 318 hooking, 171 Internet, disconnecting infected machines from, 324 • L • Interrupt service routines (ISRs), rootkits misdirecting from, 171 Laudanski, Paul and Robin (CastleCops Intrusion-Detection System (IDS) Security Professionals Web site importance of implementing, 29–30 owners), 349 logs, monitoring for rootkits clues, 182 limited-access user accounts Intrusion Prevention Systems (IPS), establishing, 70–71 importance of implementing, 29–30 safe surfing with, 64 inventory procedures, protecting using, 27 equipment with, 143 using on networks, 141 ISO image, burning to CDs, 321–322, 357 value of, 141 ISRs (Interrupt service routines), rootkits links, embedded within instant-messaging misdirecting from, 171 text, 68 LinkScanner Pro 2.0, on DART CD, 359 23_917106 bindex.qxp 12/21/06 12:09 AM Page 372
372 Rootkits For Dummies
Linux Knoppix, 316 Microsoft Corporation LinuxDefender Live! CD, booting to, 238 finding updates/patches from, 105 litigation getting automatic updates from, 105–106 pursuing, 308 obsolete versus supported systems of, 103 against rootkit creators, 308–309 offering patches/updates, 103–104 Local Security Policy Editor, editing responding to rootkit threat, 20 policies and configuring security with, Microsoft Inside-the-box GhostBuster, 273 126–127 Microsoft Internet Explorer Log Parser utility, investigating event logs adding Web sites to Trusted zone, 76 with, 220–222 adjusting Content Zones in, 74–76 logical bad sectors disabling AutoComplete in, 77 preparing, 327 using version 7, 77–79 rootkits hiding in, 326 vulnerability of, 28 logon attempts, evaluating unsuccessful, Microsoft Malicious Software Removal Tool 213–214 (MSRT), scanning for rootkits with, logon events, auditing, 125 261–262, 338 logs. See also event logs; firewall logs Microsoft Management Console (MMC) monitoring for rootkits clues, 180–183 comparing current security system and security logs, configuring and enabling, 28 template with, 128–130 sniffer logs, 181–182 customizing security templates for networks with, 136–137 Microsoft Newsgroups, getting help • M • from, 352 malicious adware Microsoft Strider GhostBuster understanding, 13–14 inside-the-box, 273 ways of installing, 14–16 overview, 273 malware WinPE, 274 chasing dodging, 192 Microsoft TechNet: Events and Errors for ensuring rootkit survival, 152 the Windows and the Windows Server exploiting rootkits, 22 System Web site, 120 finding, 304–305 Microsoft Telnet overview, 9–10 disinfecting RATs with, 298–299 purpose of, 16–19 overview, 297 symptoms of presence of, 31–32 Microsoft Update types of, 10–16 implementing, 107–109 using device drivers, 167 installing, 109–110 Malware Complaints forum, 309 overview, 106–107 Malware Removal Web site, 351 preparing for, 107 master boot record (MBR), 324 resources on, 112–113 McAfee, Inc. Microsoft Virtual PC, 145 HackerWatch, 182 Microsoft Windows SiteAdvisor, 81–82, 198 accessing Event Viewer in, 206–207 MD5summer, verifying system file integrity filtering event log data with Event Viewer with, 244 in, 214–216 Metasploit, maintaining list of native API inspecting event logs with Event Viewer entries, 169 in, 210–213 23_917106 bindex.qxp 12/21/06 12:09 AM Page 373
Index 373
installing DART CD with, 356–357 Mozilla Firefox removing unused components of, 52–53 advantages of surfing with, 80–81 troubleshooting with, 206 securing, 76–77 Microsoft Windows 2003 Server, turning on MSCONFIG, editing startup list with, 48–49 security auditing in, 122–124 MSRT (Microsoft Malicious Software Microsoft Windows Access Control Removal Tool), scanning for rootkits Mechanisms with, 261–262, 338 customizing security templates for MyFip rootkit, 342–343 networks with, 135–139 editing policies and configuring security with, 126–127 • N • overview, 126 native API hooking, 169 testing system against security templates Netbus 1.60 with, 127–135 disinfecting with Telnet, 298–299 Microsoft Windows Backup Utility, disinfecting with Visual Basic program, preparing recovery discs with, 147 299–300 Microsoft Windows Disk Cleanup Utility tracing with Port Explorer, 293–298 cleaning hard drive with, 51–52 Netstat, using for port-to-process mapping, removing unused Windows components/ 187–188 installed programs/system restore Network Address Translation (NAT), with points with, 52–53 hardware routers, 87 Microsoft Windows Update network-address translation (NAT) implementing, 107–109 capability, routers with, 192 overview, 106–107 networks preparing for, 107 cleaning of rootkits, 233 resources on, 112–113 customizing security templates for, Microsoft Windows XP 135–139 firewall, 93–95 disabling connections before cleaning installing, 331–332 rootkits, 319–320 Microsoft Windows XP Backup Utility monitoring for rootkits, 179–180 backing up files with, 44–46 obtaining updates for, 110–112 installing, 44 options for dealing with infections on, Microsoft Windows XP Pro, turning on 303–304 security auditing in, 123–124 protecting ports of, 183–191 Microsoft WinPE Strider GhostBuster, 274 rebooting in disinfecting versus Microsoft WinPE (Windows Preinstallation reinstalling operating system on, 306 Environment), booting to, 235–236 using limited-access accounts on, 141–142 Microsoft’s Security Monitoring and Attack watching logs for rootkits clues, 180–183 Detection Planning Guide Web site, 120 New York State, litigation against adware MMC (Microsoft Management Console) companies by, 309 comparing current security system and NIDS (Network Intrusion-Detection System) template with, 128–130 log, monitoring for rootkits clues, 182 customizing security templates for NOD32 Antivirus, using, BC5 networks with, 136–137 Norton Ghost, creating hard drive image MonitorWare, investigating event logs with, with, 315–316 219–222 NTFSShider, 339 NTI Backup NOW!, using, BC15 23_917106 bindex.qxp 12/21/06 12:09 AM Page 374
374 Rootkits For Dummies
pe386, 344 • O • phish, 343 object access, auditing, 125 physical access online contacts, choosing carefully, 62 importance of limiting/controlling, 142 Opera, securing, 76–77 limiting/controlling, 140 operating systems (OS) physical security, creating plan for, 143–144 choosing to reinstall, 305–307 pings, sending out, 88 importance of securing, 30 plans, creating physical security, 143–144 obsolete, unsupported, 103 platforms, rootkits specific to, 21 preparing for reinstallation of, 328–329 Pocket KillBox, using, BC17–BC18 rootkits evading reinstallation of, policy changes, auditing, 125 325–327 pornography rootkits hiding in, 151–153 avoiding, 64 rootkits infecting, 234–235 drive-by downloads from, 15 port blocking, with hardware routers, 87–89 • P • Port Explorer (Diamond CS) sniffing capabilities of, 202–205 packets, controlling data flow with, 199–200 tracing RATs with, 293–300 packet-sniffers, rootkits enabling, 23–24 using for port-to-process mapping, page fault, 346 190–191 page-fault handler, 346 port stealthing, with hardware routers, parental control programs, versus 87–89 spyware, 14 ports Password Safe, using, BC20–BC21 checking with port-to-process mapping, passwords 186–191 creating and storing, 29, 69–70 identifying process ID associated with creating free e-mail accounts, 66 identified, 195 hackers deciphering weak, 17 identifying process through, 195 recommend protectors and generators overview, 183–185 for, BC18–BC21 ways hackers use, 185–186 patches port-to-process mapping automatic Microsoft, 105–106 checking ports with, 186–187 finding Microsoft, 105 tracking suspicious data flow, 191 Microsoft offering, 103–104 using DarkSpy for, 190 reasons for, 104 using Netstat for, 187–188 staying current with, 29 using Port Explorer for, 190–191 understanding, 102 using TCPView, 188–189, 189–190 patching, miscellaneous software, 113–115 preview panes, disabling e-mail, 66 peer-to-peer (P2P) Privacy Policies, guidelines for safe file sharing programs, spyware attached downloading with, 65 to, 15 process activity networks, downloading from, 65 evaluating with DarkSpy and GMER, persistent rootkits, detecting, 246–247 227–228 personal information evaluating with IceSword, 227 hackers obtaining, 17 evaluating with Process Explorer, 226–227 keyloggers collecting, 24 evaluating with Task Manager, 224–226 23_917106 bindex.qxp 12/21/06 12:09 AM Page 375
Index 375
Process Explorer recovery, planning for, 33–34 on DART CD, 360–361 recovery discs, preparing, 147–148 detecting keyloggers with, 291–293 Red Screen of Death (RSOD), 343 evaluating process activity with, 226–227 Registrar Registry Manager, using, BC18 identifying processes loaded by Registry svchost.exe with PID 984, 196–197 analyzing with DarkSpy, 279–280 using, BC10 backing up, 42–43 using AntiHookExec with, 268–269 cleaning, 57–58 The Process Library, 199 editing with GMER, 288 process tracking, auditing, 125 recommended cleaners for, BC17–BC18 processes tracking forensic tool changes to, 313 identifying, 195–197 Registry Editor, backing up Registry with, mapping recipient IP address with 42–43 reverse DNS search, 198 Regmon (Sysinternals), tracking forensic researching databases of, 198 tool changes with, 313 professionals, hiring to analyze evidence, remote transfers, installing spyware by, 15 317–318 remote-access trojans (RATs) programs. See software accessing through ports, 183 PspCidTable, FUTo rootkits altering, commandeering computers, 17–18 175–176 disinfecting with Telnet, 298–299 P2P (peer-to-peer) reinstalling operating system for, 306–307 file sharing programs, spyware attached tracing with Port Explorer, 293–298 to, 15 using ports, 185 networks, downloading from, 65 writing Visual Basic program to disinfect, puppet masters, rootkits delivering, 22–23 299–300 resistance becoming intelligent computer user for, • R • 26–27 RAIDE, scanning for rootkits with, need for, 26 275–276, 345 security measures recommended for, random-access memory (RAM), dumping 27–30 to USB flash drive, 312–314 resources RATs (remote-access trojans) on developing kernel device drivers, 168 accessing through ports, 183 on hard drive operation, 326 commandeering computers, 17–18 lists of ports used by trojans, 186 disinfecting with Telnet, 298–299 for security devices, 143 reinstalling operating system for, 306–307 for security software, 144 tracing with Port Explorer, 293–298 security Web sites, 348–354 using ports, 185 for software updates/patches, 114 writing Visual Basic program to disinfect, for virtual machine software, 145 299–300 restore point. See also System Restore reboots, planning after system creating, 39 compromise, 320–322 removing installed, 52–53 recognition restoring from, 41 overview, 30–31 restoring of problems not from malware, 33 Registry, 43 signs of malware, 31–32 system, 41 23_917106 bindex.qxp 12/21/06 12:09 AM Page 376
376 Rootkits For Dummies
Restricted Groups policy, implementing, 141–142 • S • Rootkit Revealer Forum, 250 SA (SiteAdvisor) (McAfee, Inc.), 81–82, 198 Rootkit Revealer (RKR) (Sysinternals) Safe mode on DART CD, 361 booting into with System Configuration help resources for, 250–251 Utility, 229 interpreting scan results of, 249–250 defragmenting in, 55–56 overview, 247–248 rootkits scanning and, 238–239 running with BlackLight, 246 running system restore from, 41–42 understanding operation of, 248–249 using GMER in, 287–288 user-friendliness of, 245 Safer-Networking Web site, 243 using, BC10–BC11 sandbox, defined, BC16 rootkit scanners. See also specific scanners Sandboxie function of, 232–233 on DART CD, 360 overview, 231–232 using, BC16 running after format and reinstall, 333 SANS Institute, listing ports used by types of, 244–246 trojans, 186 using from external storage devices, saving, before reboots, 320 235–238 scam operations, hackers using systems using in Safe mode, 238–239 for, 17–18 rootkits scanners. See also rootkit scanners; cloaked verses on cloaked, 232 specific scanners evading security systems, 21–22 anti-spyware, 97 history of, 19–20 anti-trojan, 98–99 invisible functions of, 151–153 antivirus, 98 kernel-mode versus user-mode, 155–156 on DART CD, 358–359 overview, 19 importance of having, 82 planning defense against, 145–146 importance of using, 28 possible actions against creators of, most useful features of, 99–100 308–310 overview, 95–96 reasons for existence, 22–24 type of, 96–97 steps for removing, 233 using before Internet downloads, BC2 types of, 154 Scott, Charlie (Snort For Dummies), 182 Rootkits: Subverting the Windows Kernel screen savers, defragmenting with, 56 (Hogland, Butler), 177 security Rootkitty, scanning for rootkits with, configuring, 126–127 274–275 configuring selectively, 134–135 routers, blocking tools with, 192–193 creating plan for physical security, RSOD (Red Screen of Death), 343 143–144 rule-based firewalls, 91. See also software guidelines for improving, 118–119 firewalls importance of taking physical Russonovich, Mark (Sysinternals), 20, 352 measures, 142 RxTx, measuring bandwidth use with, security auditing 223–224 events, categories available for auditing, 124–126 turning on, 122–124 23_917106 bindex.qxp 12/21/06 12:09 AM Page 377
Index 377
Security Configuration Manager, editing sniffers policies and configuring security with, catching hackers with, 200–201 126–127 detecting, 201–202 security devices, protecting equipment Ethereal, 205 with, 143 function of, 24 security forums hackers using, 200 asking help from, 234 Port Explorer, 202–205 helping with Rootkit Revealer, 250–251 Snort For Dummies (Scott, Wolfe and Security log (Windows), function of, 206 Hayes), 182 security logs, configuring and enabling, 28 Snort, monitoring NIDS with, 182 security permissions, checking for software. See also specific software alteration of, 240 anti-spyware, 97 security policies anti-trojan, 98–99 editing, 126–127 antivirus, 98 setting up, 28 backup and imaging, BC14–BC16 security settings blocking illegal computer use with, 144 comparing with security template, for detecting/removing rootkits, 128–130 BC7–BC12 copying from template to template, 137 editing startup configurations, 48–50 creating database of, 131–133 false security alerts encouraging security systems, rootkits evading, 21–22 purchase of, 17 security templates filtering by specific, 214–216 customizing for networks, 135–139 hard-drive erase and repair utilities, testing system against, 127–135 BC21–BC24 Self Monitoring And Reporting Technology recommended anti-malware scanners and (S.M.A.R.T.), helping rootkits hide, 326 utilities, BC2–BC7 service installations/starts, evaluating for recommended password protectors and rootkits, 214 generators, BC18–BC21 security-analysis utility, making own, 127 recommended system and Registry Shadow Walker, 345–346 cleaners, BC17–BC18 shareware, versus freeware, 357–358 removing installed, 52–53 SIG^2 (API HookCheck), 164 removing unused, 50–51 Sigcheck, verifying system file integrity running to many at startup, 47 with, 243 updating/patching miscellaneous, 113–115 Silberman, Peter (FUTo developer), 175 virtual machine, 144–145 Simovits, listing ports used by trojans, 186 software firewalls SiteAdvisor (SA) (McAfee, Inc.), 81–82, 198 functioning of, 91–92 16-bit architectures, 105 knowing system needs, 95 64-bit architectures overview, 90–91 GMER working with, 289 setting rules for, 92–93 understanding, 105 Windows XP, 93–95 size, changing event logs default, 207–208 SONY Digital Rights Management (DRM) S.M.A.R.T. (Self Monitoring And Reporting rootkit, discovery of, 20 Technology), helping rootkits hide, 326 spam e-mail, rootkits facilitating, 23 sniffer logs, monitoring for rootkits clues, SPI (Stateful Packet Inspection) component, 181–182 with hardware firewalls, 89–90 23_917106 bindex.qxp 12/21/06 12:09 AM Page 378
378 Rootkits For Dummies
spies, rootkits acting as, 23–24 Sysinternals SpinRite (Gibson Research Corporation) Autoruns, 49–50, 246–247, 265–268, 360, described, 327 BC8–BC9 using, BC23–BC24 Filemon, 197, 312 Spitzer, Elliott (New York State Attorney PageDefrag, 57 General), 309 Regmon, 313 spoofed Web sites, drive-by downloads Rootkit Revealer, 245–251, 361, from, 15 BC10–BC11 Spybot-Search&Destroy TCPView, BC11–BC12 on DART CD, 359 Sysinternals Forum, 352 inserting Hosts list into HOSTS file, system calls, user-mode rootkits using, 155 72–73 system cleaners, recommended, using, BC6 BC17–BC18 spyware System Configuration Utility, booting into understanding, 13–14 Safe mode with, 229 ways of installing, 14–16 system events, auditing, 125 SpywareInfo Web site, 352–353 system files SpywareWarrior Security Web site checking for replacement of, 240 overview, 353 verifying integrity of, 243–244 resource on cyber-cor-pirates, 18 verifying with FileAlyzer, 240–243 SSDT (System Service Descriptor Table) System log (Windows), function of, 206 hooking, 168–169 system monitoring, enabling in GMER, replacing, 170–171 286–287 SSV (System Virginity Verifier), scanning system requirements for rootkits with, 270–273 Acronis True Image, 359 startup Advanced Password Generator, 362 editing list using MSCONFIG, 48–49 Agnitum Outpost Firewall, 358 running too many applications at, 47 Any Password, 362 Stateful Packet Inspection (SPI) Autoruns, 360 component, with hardware firewalls, BartPE CD, 237 89–90 checking downloads for, 109 static DLLs, rootkits targeting, 160 DarkSpy, 361 stop errors, evaluating for rootkits DART, 355–356 activity, 214 GMER, 361 strategies, recommended for rootkit Karen’s Replicator, 360 detection and removal, 234 LinkScanner Pro 2.0, 359 SubVirt rootkit, 177–178 Process Explorer, 360 Sunbelt Kerio Personal Firewall, on DART Rootkit Revealer, 361 CD, 358 Sandboxie, 360 survivable systems, defined, 25 Spybot-Search&Destroy, 359 svchost.exe Sunbelt Kerio Personal Firewall, 358 identifying process started by, 195–196 troubleshooting problems with, 363 identifying processes loaded by, 196–197 UnHackMe, 361 Symantec, list of top 19 threats from, 245 Virtual PC, 145 symptoms, of malware presence, 31–32 Workstation, 145 SYSENTER hooking, 170, 344 system resources, malware using, 222–223 23_917106 bindex.qxp 12/21/06 12:09 AM Page 379
Index 379
System Restore Trusted zone (Internet Explorer), adding accessing, 39 Web sites to, 76 changing drive settings of, 39–40 Turner, Suzi (SpywareWarrior Web site clearing out/shutting off, 40–41 owner), 353 creating restore point, 39 disabling, 325 restoring from restore point with, 41 • U • running from Safe mode, 41–42 Ultimate Boot CD For Windows understanding, 38 (UBCD4Win), booting to, 237–238 working with after system compromise, uncloaked rootkits, defined, 232 323–324 UnHackMe (Greatis) System Service Descriptor Table (SSDT) on DART CD, 361 hooking, 168–169 scanning for rootkits with, 260–261 replacing, 170–171 user-friendliness of, 245 system service, filtering by, 214–216 using, BC12 system tracing, enabling in GMER, 286–287 University of Connecticut (UCONN), System Virginity Verifier (SSV), scanning housing rootkit, 154 for rootkits with, 270–273 unpatched computers, worms effect on, system-analysis software, on DART CD, 360 11–12 unprivileged hooks, overview, 159 updates. See also Microsoft Update; • T • Microsoft Windows Update Task Manager automatic Microsoft, 105–106 evaluating process activity with, 224–226 finding Microsoft, 105 monitoring computer activities with, importance of, 103 223–224 Microsoft offering, 103–104 monitoring CPU cycles with, 228–229 miscellaneous software, 113–115 TCPView (Sysinternals), using, BC11–BC12 for networks and hardware, 110–112 TCPView, using for port-to-process reasons for, 104 mapping, 188–189 staying current with, 29 Tech Support Guy Forum, 353–354 understanding, 102 32-bit architectures, 105 USB flash drive, dumping RAM to, 312–314 thread injection, functioning of, 165 user accounts Tom Coyote Security Forum, 354 establishing limited-access, 70–71 toolbars, adware, 13–14 safe surfing with limited-access, 64 tools. See utilities using limited-access, 27 training, security awareness, 144 using limited-access on networks, 141 Tripwire, verifying system file integrity value of limited-access, 141 with, 243 user DLLs, rootkits targeting, 161–163 trojanized utilities, replacing system files, user-friendliness, of rootkits actors, 245 174–175 user-level rootkits, types of hooks trojans. See also remote-access trojans used, 159 (RATs) user-mode rootkits effects of, 63 versus kernel-mode rootkits, 155–156 overview, 11 summary of, 154 using AppInit_DLLs injection, 165 users, filtering event by, 214–216 using ports, 185–186 23_917106 bindex.qxp 12/21/06 12:09 AM Page 380
380 Rootkits For Dummies
utilities. See also specific utilities for Linux boot CDs, 316 anti-malware on DART CD, 358–359 for maintaining list of native API to detect sniffers, 202–205 entries, 169 hard-drive erase and repair, BC21–BC24 for process databases, 198 recommended anti-malware, BC2–BC7 resources for phishing, 343 trojanized replacing system files, 174–175 resources for security auditing, 120 for verifying system file integrity, 240–244 resources for security devices, 143 resources for security software, 144 resources for software updates/ • V • patches, 114 VICE (Virtual Intruder Capture Engine), resources for virtual machine scanning for rootkits with, 269–270 software, 145 video-card EEPROM, rootkits residing resources listing ports used by in, 324 trojans, 186 virtual machine (VM) software, 144–145 resources on developing kernel device virtual memory manager (VMM), hooking, drivers, 168 176, 345 Safer-Networking, 243 virtual operating systems, fooling rootkits security, 338, 348–354 with, 144–145 Web surfing virtual-machine-based rootkits (VMBR), advantages of using Firefox for, 80–81 function of, 177–178 guidelines for safe, 63–64 Virus Total, checking for file legitimacy importance of practicing safe, 30 with, 257 malware controlling, 16–17 viruses malware tracking, 16 finding, 304–305 rootkits tracking, 24 overview, 11 whoami.exe tool, tracking user access Visual Basic programs, writing to disinfect with, 141 Netbus, 299–300 Windows File Protection (WFP), protecting VM (virtual machine) software, 144–145 DLLs, 160 VMware Workstation, 145 WinTasks Process Library, 199 vulnerability, to malware, 10 Win32/Hackdoor.B rootkit, using ports, 185 WMF (Windows Metafile) exploit, installing spyware by, 15–16 • W • Wolfe, Paul (Snort For Dummies), 182 Web sites worms, overview, 11 adding to Trusted zone, 76 for bootable CDs, 236–238 • Z • for checking for legitimacy of files, 257 drive-by downloads from spoofed, 15 zombies, for DDoS, 18 evaluating safety of, 81–82 ZoneAlarm Pro Firewall, using, BC6–BC7 on hard drive operation, 326 23_917106 bindex.qxp 12/21/06 12:09 AM Page 381
Notes ______23_917106 bindex.qxp 12/21/06 12:09 AM Page 382
Notes ______