23_917106 bindex.qxp 12/21/06 12:09 AM Page 365 Index Answers that work process database, 199 • Numerics • AntiHookExec 16-bit architectures, 105 benefits of using with other tools, 263–264 32-bit architectures, 105 installing, 263 64-bit architectures overview, 262 GMER working with, 289 user-friendliness of, 245 understanding, 105 using, BC8 using Autoruns with, 265–268 using Process Explorer with, 268–269 • A • using HijackThis with, 264–265 anti-malware Real Time Monitoring, instant Abrams, Lawrence (Bleeping Computer messaging with, 68 Web site owner), 349 anti-malware utilities. See also specific access utilities backdoors giving, 12–13 on DART CD, 358–359 limiting/controlling physical, 140 recommended, BC2–BC7 need to limit, 139–140 anti-spyware software, 97. See also account logon events, auditing, 124–125 specific software account management, auditing, 125 anti-trojan software, 98–99. See also AccuHash 2.0, verifying system file specific software integrity with, 243 antivirus software, 98 Acronis True Image Any Password on DART CD, 359 on DART CD, 362 using, BC14 using, BC19–BC20 Active@ Kill Disk, using, BC22–BC23 AOL Instant Messaging (AIM) network, ActiveX worm infecting, 69 blocking, 73–76 API HookCheck (SIG^2), 164 controls in Internet Explorer 7, 78 API hooking, overview, 159 danger of accepting, 65 AppInit_DLLs injection, functioning of, Ad-Aware SE Personal, using, BC2–BC3 165–166 administrative access Application log (Windows), function of, 206 to disable System Restore, 325 COPYRIGHTEDapplication MATERIAL programming interface (API) rootkits needing, 153 kernel-mode rootkits using, 156 ADS (alternate data stream), 344 user-mode rootkits using, 155 Advanced Password Generator application-based firewalls, 91. See also on DART CD, 362 software firewalls using, BC18–BC19 applications. See software Agnitum Outpost Firewall Apropos rootkits, 239, 340–341 on DART CD, 358 archiving, event logs automatically, using, BC3–BC4 208–210 AIM (AOL Instant Messaging) network, attachments, guidelines for safe, 66–68 worm infecting, 69 23_917106 bindex.qxp 12/21/06 12:09 AM Page 366 366 Rootkits For Dummies auditing BadRKDemo rootkit, DarkSpy removing, categories of securities events available 280–282 for, 124–126 bandwidth, measuring use of, 223–224 overview, 119–120 BartPE (Bart Preinstallation Environment), resources for, 120 236–237 turning on event logging, 121–122 baseline turning on security, 122–124 using, 146–147 auditing policies value of, 146 configuring and enabling, 28 BIOS instant messaging with, 68 changing boot order in, 329–331 Aumha Web site, 348 rootkits residing in, 324 AutoComplete (Internet Explorer), BitDefender antivirus software, 238 disabling, 77 blackhat hacker, 337 automatic updates, setting up, 105–106 BlackLight (F-Secure) AutoPlay (Windows), disabling on external running with Rootkit Revealer, 246 drives/devices, 59 scanning for rootkits with, 251–253, 340 AutoRun (Windows) user-friendliness of, 245 disabling, 58–59 black-market groups, using malware, 18 working without, 60 Bleeping Computer Startup Programs Autoruns (Sysinternals) Database, 199 on DART CD, 360 Bleeping Computer Web site, 348–349 detecting persistent rootkits with, 246–247 boot order, changing in BIOS, 329–331 editing startup list with, 49–50 bootable CDs using, BC8–BC9 Linux, 316 using AntiHookExec with, 265–268 Microsoft, 235–236 AVG Anti-Spyware Free, using, BC4 non-Microsoft Windows, 236–238 bootsector viruses, scanning for, 60 browsers • B • configuring securely, 29 backdoor keyloggers, 289–290. See also using alternate, 28 keyloggers bundling, installing spyware through, backdoors 14–15 allowing access through ports, 183 business plans, creating physical security, overview, 12–13 143–144 rootkits opening, 23 Butler, Jamie (Rootkits: Subverting the backing up Windows Kernel), 177 importance of maintaining, 29 preparing recovery discs for, 147–148 recommended software for, BC14–BC16 • C • Registry, 42–43 CastleCops Security Forum, determining software available for, 304 toolbar legitimacy with, 14 software on DART CD for, 359–360 CastleCops Security Professionals, storing after, 304 349–350 with Windows Backup Utility, 44–46 CastleCops Services Lists, 199 bad sectors CastleCops StartupList, 199 preparing, 327 CCleaner, using, BC17 rootkits hiding in, 326 23_917106 bindex.qxp 12/21/06 12:09 AM Page 367 Index 367 CDs. See also Dummies Anti-Rootkit Toolkit DART. See Dummies Anti-Rootkit Toolkit (DART) data burning ISO image to, 321–322, 357 controlling flow of with packets, 199–200 Linux boot, 316 tracking suspicious flow of, 191 making computers boot from, 321 Data Sentinel, verifying system file integrity Microsoft bootable, 235–236 with, 244 non-Microsoft bootable, 236–238 databases Cermak, Mike (Tech Support Guy), 353–354 creating security settings, 131–133 chat clients, monitoring instant messaging researching process, 198 accounts with, 68 dd, creating hard drive image with, checklist for improving security, 118–119 316–317 checksums, assessing file integrity with, 240 dd for Windows, copying RAM dump with, ChrisRLG (Malware Removal Web site 313–314 owner), 351 DDoS (Distributed Denial of Service) cleaners, recommended for Registry and network of zombies used in, 18 system, BC17–BC18 object of attacks, 23 cloaked rootkits, defined, 232 defragmenting, hard drive, 53–57 computer dialers, overview, 12 activity, comparing with bandwidth Diamond CS, Port Explorer, 190–191, usage, 224 202–205, 293–300 needing new, 115 direct kernel object manipulation (DKOM), computer privileges, understanding, 153. 171–173, 341, 342 See also user accounts Direct Revenue LLC, litigation against, 309 connections, disabling network before directory service access, auditing, 125 cleaning rootkits, 319–320 Diskeeper Pro (Executive Software), 57 Content Zones (Internet Explorer), Distributed Denial of Service (DDoS) adjusting, 74–76 network of zombies used in, 18 contests, avoiding online, 67 object of attacks, 23 Coyote, Tom (Tom Coyote Security Forum DLL injection owner), 354 AppInit_DLLs, 165–166 CPU cycles, monitoring, 228–229 detecting with IceSword, 290–291 cross-diff comparison, using different detecting with Process Explorer, 291–293 rootkits-detection tools, 234 functioning of, 164 overview, 159 DLLs (dynamic link libraries) • D • kernel and user, 161–163 DarkSpy overview, 160, 162 analyzing Registry with, 279–280 rootkits targeting, 160 comprehensiveness and user-friendliness user-mode rootkits using, 155 of, 245 domain, defined, 125 on DART CD, 361 domain controller, defined, 125 detecting/removing rootkits with, 277–278 double filename extensions, viewing, 12 evaluating process activity with, 227–228 downloading overview, 276–277 guidelines for safe, 65 Registry Analyzer, 278 using scanners before, BC2 removing difficult rootkits with, 280–282 drive-by downloads, installing spyware by, using for port-to-process mapping, 190 15–16 23_917106 bindex.qxp 12/21/06 12:09 AM Page 368 368 Rootkits For Dummies drivers, installing as rootkits, 166–168 inspecting with MonitorWare, 219–222 Dummies Anti-Rootkit Toolkit (DART) monitoring for rootkits clues, 180 anti-malware utilities and scanners with, overview, 207 358–359 types of, 206 backup and imaging software on, 359–360 Event Viewer (Windows) CD contents, 357–358 accessing, 206–207 installing CD with Microsoft Windows, evaluating inspection results in, 213–214 356–357 filtering event log data with, 214–216 password protectors and generators finding rootkits with, 126 on, 364 inspecting event logs with, 210–213 rootkit-detection-and-removal software upgrading to Event Log Explorer from, on, 361–362 217–219 system requirements for, 355–356 events system-analysis software on, 360–361 categories available for auditing, 124–126 troubleshooting, 363 filtering by type of, 214–216 dynamic link libraries. See DLLs evidence collecting, 304 collecting RAM dump to USB flash drive, • E • 312–316 Easter eggs, backdoors installed as, 13 guidelines for preserving, 310–312 EAT (Export Address Table), as avenue to hiring professional to analyze, 317–318 DLLs, 162 tracking perpetrators with, 307–308 eEye BootRoot, 343 executable files, hidden, 11–12 Elite toolbar, 339–340 Executive Software (Diskeeper Pro), 57 e-mail Export Address Table (EAT), as avenue to guidelines for safe, 66–68 DLLs, 162 rootkits facilitating spam, 23 external media, scanning for bootsector EnCase, forensic assistance from, 318 viruses, 60 Encrypting File System (EFS), safe surfing with, 64 End User License Agreements (EULAs), • F • 65, 339 false security alerts, encouraging purchase Eraser, using, BC21–BC22 of malware programs, 17 Eshelman, James A. (Aumha owner), 348 FanBot, 343–344 Ethereal, sniffing hackers with, 205 Farmer’s Boot CD (FBCD), 316 EULAlyzer, protecting from spyware, 15 file analysis services, availability of, 305 evaluating Web sites safety with, 81–82 FileAlyzer, verifying system files with, Event Log Explorer, advantages of, 217–219 240–243 event logging. See also auditing file-integrity checks, recommending, 145 overview, 119–120 Filemon (Sysinternals) turning on, 121–122 tracking forensic tool changes with, 312 event logs tracking outbound access with, 197 automatically archiving, 208–210 filename extensions, viewing, 12 changing default size, 207–208 files inspecting with Event Log Explorer, backing up with Windows Backup Utility, 217–219 44–46 inspecting with Event Viewer, 210–213 checking for legitimacy of, 257 23_917106 bindex.qxp 12/21/06 12:09 AM Page 369 Index 369 scanning before opening, 67–68 F-Secure,