Re: Re: They got me!!!

["Eliah Kagan" <degeneracypressure () gmail com>]

> 1) rootkits,trojans..ect are put there by people with a lot more
> knowledge then the average person. In most cases, you will never
> Find the person.

If the attack is personal, rather than impersonal and automated, then
you may well find the person. For instance, many stalkers are also
(albeit older than the stereotype would have you believe) script
kiddies, and combine the two. A little investigatory work can often
reveal the identity of the attacker. Rootkits and trojans are often
used by people who know how to followed dumbed-down directions on a
website, and no more. And even when they are installed by highly
competent malicious hackers, people make mistakes.

Consider computer crime as a subset of crime in general. Many if not
most people who are stalked or anonymously harassed strongly suspect
one individual as the culprit, and are right. Professional
investigators typically obtain their first lead or leads by asking the
victim who the victim thinks is the culprit. If your box has been
owned and it looks like a personal attack rather than an automated
one, you might already know who did it. (Or it could very well be one
of your kids' friends or enemies from school.)

In the case being discussed in this thread, though, there doesn't seem
to be any compelling evidence thus far revealed to suggest that the
attack was personal. It was probably automated: spyware, exploitation
of a bug in IE, malware spammed in by email, and so forth, as people
have suggested.

It is important to recognize that common spyware often uses rootkits.
The two most celebrated examples are CoolWebSearch and the DRM rootkit
that Sony used. Substantial programming skill is needed to write a
rootkit, not to use one on somebody.

> 6) I know Zone Alarm can do this, I'm sure yours can. - set program
> control to not allow anything to run without prompting you. Make sure
> You erase any past access. Reboot the box and see what wants to run on
> your box.

Program control is a useful tool, but it is not guaranteed to work
against a kernel-mode rootkit. Once a hacker can run arbitrary code on
your system, you can never trust anything your system (that is, any
program of any kind running on your system) tells you. The whole point
of rootkits is to make detection and prevention methods--like program
control--fail silently.

-Eliah

On 4/6/06, Levenglick, Jeff <JLevenglick () fhlbatl com> wrote:
> It is always nice to learn, but in a lab.
>
> You need to keep in mind of the following:
>
> 1) rootkits,trojans..ect are put there by people with a lot more
> knowledge then the average person. In most cases, you will never
> Find the person.
>
> 2) You are dealing with your own box. Your info..ect is on that box, you
> really do not want to play around with it, do you?
>
> Without a sniffer or a honey box you will have a hard time trying to see
> all the steps taken to get your box.
>
> I would suggest the following:
>
> 1) run   netstat -an and save the output.
> 2) remove the box from any networks
> 3) run  netstat -an and save it to another file.
> 4) compare the two files. Did something wake up or did something die?
> 5) look for strange ports. Check google to see what the port is known
> for.
> 6) I know Zone Alarm can do this, I'm sure yours can. - set program
> control to not allow anything to run without prompting you. Make sure
> You erase any past access. Reboot the box and see what wants to run on
> your box.
>
> The above should get you some information to google. Usually you can
> find out what the trojan/root kit does and how it is installed.
>
> If nothing comes up, then someone might have run an exploit to connect
> to your box and then got off. The only way to find out at this point is
> To check your router logs. Look for multiple connects to ports from the
> same ip. If your lucky you might see a scan with 50+ trys within one
> minute.
>
> If you still do not see anything, then assume something was run on the
> pc first. You should see in the log file a connection going to an
> outside ip on a strange port. Or one the keeps connecting each day to
> the same ip...ect..
>
>
> -----Original Message-----
> From: pentesticle () yahoo com [mailto:pentesticle () yahoo com]
> Sent: Thursday, April 06, 2006 10:21 AM
> To: incidents () securityfocus com
> Subject: Re: Re: They got me!!!
>
> Yes, I want to learn something from this so want to find out what/how
> the access was obtained. I feel I have the computers as secure as
> Microsoft allows (WinXP Pro). I check for patches regularly (weekly). I
> have most built-in accounts disabled. The accounts all run at a regular
> user priviledge. This particular machine does act as a print server for
> my network, but I have anonymous access restricted and only allow
> authenticated connections. I restrict remote admin access, but not sure
> if it can be bypassed somehow. The kids do play the internet games and
> surf the funny video sites and I do have a teen that check web mail, but
> none of them are "supposed" to have access to install (ie regular user
> account). I have software firewalls (Symantec) running on the machine
> behind a Linksys router/firewall as my gateway. So far I haven't any
> spyware on the box, only attempts, when I run my nightly scans and
> review the logs files.
>
> Since I didn't have my sniffer running at the time I really want to see
> if I can find out what happened and how it happened. I'm somewhat
> concern if my border device may possibly be compromised as well.
> Unfortunately Linksys is pretty limited on the abilities to manage the
> device. None of my other PC's on the network seem to show any indication
> of compromise, but again this one in particular is slightly less secure
> for the sharing of the printer.
>
> Any additional information is much appreciated.
>
> Thanks...
>
> Hopefully I'll be able to put the pieces together.
>
>
> -----------------------------------------
> This e-mail message is private and may contain confidential or
> privileged information.