August 3rd, 2003, 04:56 PM
Hi folks, I have only been a subscriber for a short time, but I thought I ought to try to make some kind of contribution. I have been studying malware and security for a number of years now, mainly on a “needs to know basis”. A reactive as opposed to proactive approach, I suppose.
I would like to open this thread for all us newbies, with the hope that all will contribute. I have come across a number of excellent recommendations for security software/tools on this site, and have tried various ones myself, over the years. I think that we could usefully exchange knowledge and experience in this area? The problem with he solutions one reads is that they tend to relate to a particular problem, rather than good security measures in general?
I will try to keep this short, as I feel that too much information at once tends to swamp people (it also makez mi brane ‘urt)
Let’s make a start with what “malware” tries to do:
1. Amend the Windows Registry……………..I guess that at least 95% of it tries to do that?
2. Propagate via e-mail…………….got to be 80% plus?
3. Access address books…………….maybe 70%?
There are a number of other attributes, and I may have two or three follow-up posts “on the stocks”, to deal with these (If I don’t get banned or something)……………What I am hoping to create here is a thread for us to exchange info. And experiences ………………I would hope that it lasts for a week or two.
A. You MUST have a modern antivirus software program running. It must scan ALL programs and scan heuristically (try to anticipate malware activity). You MUST keep it up to date…a lot of the new ones will do this automatically.
B. You MUST have a personal firewall, if you are accessing the Internet. Keep this up to date, as in A. above.
These are what I call “level one” defences.
OKAY…this is for single machines only………..network stuff must come later.
Let us address the three malware activities I have introduced so far……………..
The Windows Registry………I recommend using Registry Protector from diamondcs.au I believe the program is regprot.exe, and I for one, would not be without it. You are warned if a Registry amendment is about to be made, and given the opportunity to accept or reject. It can be a pain if you load a new application, but, if it needs more than 6 registry entries it is probably no good anyway….
If you have not loaded new software and this kicks in…you may have a problem…just say “no” and see if what you wanted to happen works. If it doesn’t…just try again and say “yes” at the prompt….and on your own head be it!!!!
Propagate via e-mail……….OKAY…you have an infected box….do you want to pass it on?
Try “Mail Control” by Yavin Kaplan (http:www.internals.com)
This app. Prevents unauthorised sending of e-mail on your behalf (currently SMTP only).
It also permits you to set rules to allow/deny sending, but use this wisely, as you may negate its functionality.
VBS Script Executor…………………http://www.astonsoft.com
A new player in the security market from Estonia (a fellow EC country)…look to have some nice stuff and much more on the boil..so to speak
Seems to monitor WSH/VM for malicious VBS and JAVA scripts.
It also monitors for attempts to modify autostart AND ATTEMPTS TO OPEN ADDRESS BOOKS (nice touch!)
HERE ARE A FEW MORE:
SpywareGuard from javacool
features live update
helpfile explains how it works
has forum at http://www.wildersecurity.com
Scrip Trap from Robin Keir
I like this one!…it intercepts potentially harmful programs.
It will link to your antivirus program
There is a helpfile that explains how it works…
WinPatrol from BillPStudios
This gives realtime protection
Good cookie control
Good control tools for startup and active tasks
AND I LOVE the social engineering…the little dog will make kids aware of threats
(for those who are interested, I define “kid” as less than 11 years old)
AnalogX Script Defender
OKAY…I am not sure which side of the fence AnalogX live on, but this stuff seems to work….It allows experienced users to change the code. Try http://www.analogx.com
I will leave you now…should I proceed with this?………………….it is not a tutorial….just the start of a thread?
Be safe, stay safe
August 3rd, 2003, 05:20 PM
Hey, great info for sure. Another thing that people might want to do is get some anti-trojan type software as well. Ad-aware by lavasoft is one of the leading programs that does this. I've been using it for a while, and never been let down. Also, spy bot is another good one. Both of these do registry scanning, and if updates are performed, can be a great tool for defense.
One tip that I could offer is to make copies of the registry on a weekly basis, just in case you're totally screwed, it could save your ass. I do this on all the servers that I take care of, and has helped more than once! It's easy to script. All leading backup programs can backup the system state, including native tools such as ntbackup.
\"First you get the sugar, then you get the power, then you get the women\"
August 4th, 2003, 04:03 AM
For anti-trojan most people will go with moosofts anti-trojan software. As far as the registry is concerned id rather have a application that logs any changes to the registry rather than have to tell it whether or not to allow the changes. That way I also have a list of the keys which were changed and so on if they need to be removed or replaced after removal. To further protect your email do not use outlook use another client such as eudora, they won't run the scripts and such which outlook does.
<chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times
August 4th, 2003, 12:47 PM
While I see your post as a tutorial.. I think it could almost be made sticky in this forum..
Spybot s&d .. besides ad-ware and tracking krap.. will also spot a number of trojans..
We will need to touch on Social enginering.. as this is a common attack.. Point in case some recent bugs.. Claims of Windows patch, or a Bug report....
While being familur with cleaning up the virial mess.. I am still clearing the marketing crap from the facts..
Many newer AV progs claim Script protection.. ie VB and Java.. is this just a marketing claim? I have not read of tests in this area.
Thanks for the information and the links for the noobs..
edit: and Negetive has already copied this thread to the Tutorials..... well there you go..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
August 5th, 2003, 02:32 PM
Thanks for the responses.
Darksnake, I have noted the comments on registry protection and appreciate the desire to know what is going on, and get the full picture . Registry protector does tell you what the entries are, but only does it one at a time, on an arrival basis. This is probably ok, as malware does not tend to make that many entries/amendments...you would still have to write or screenprint them.
My experience suggests that at least 80% of the World’s computer users are blissfully unaware of the existence of the Windows Registry, and there are not many of the other 20% who could tell you what a particular entry was going to do. So for most people, the utility suggested is all they really need?
If you let malware load itself fully....to see all the Registry entries..., it may well run, propagate, and do all sorts of nasty things……they don’t all deliver at next re-boot? Another point is that when I am in the middle of checking my e-mail, I don’t really want to have to take time out to sort a malware infection, so the sooner I can stop it the better. This is particularly true if I am on a network and/or this is my main, shared, or only box.
If I want to analyse something potentially dangerous I lift it onto an old ex-corporate box which has decompressors (UPX etc), decryptors, compilers, decompilers and script editors.
Regarding Und3ertak3r’s comments: I too have seen the claims for the latest releases of AV software, and have not seen any hard facts as to how good they are. I am particularly interested in how good their “firewall” components are, as my McAfee 7.0 complained about finding ZoneAlarm, and wanted me to uninstall it. Was this a technical or a commercial objection?….I was not offered any choice!
I appreciate the general rule that you should ony have one realtime AV product and one firewall (unless one is hardware and the other software), but am a little concerned that this is “putting all my eggs into one basket”….if I drop it??? The reason I mention this, is there seems to be a growing trend for malware to contain AV and firewall killing routines, and the well known commercial products are the most obvious targets.
Some time ago I recall seeing a Russian AV product that prompted you to give your own personalised names to its files and executables………….perhaps this is an answer?
BTW The items I have mentioned are generally free for private use, which I hope will help people on limited budgets such a students.
August 9th, 2003, 05:50 AM
I'm a newbie! And have a query!
I mainly have one question and plenty of information after digging for this Trojan I found on my system.
1) It's in a TEMP resource file and cannot be deleted, healed, ect. (the boogery thing)
The location of the file is:
RslocA (rslocal? possibly related...)
Description- rslocal MFC Application (C) 2002
File Version- 126.96.36.199
Product Name-rslocal Application
4) My computer has shown an "error screen" too often for my liking and my "scan disk" freezes up when I try to run it since locating the file.
5) I DL'ed some freeware from SysInternals and through that software found someone looking into my drive that ought'n't have been.
Can anyone help me? Please... I'll give you my secret recipe for the best spagetti bolognese in the world!
August 9th, 2003, 11:24 AM
You probably should have started a new thread for this, and it may get moved, but did you try
Trend Micro TROJ_RSLOCAL.A
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
August 9th, 2003, 08:04 PM
Well, you had the courtesy to read my stuff so I reckon you deserve a reply, even if it is is the "wrong place"...I guess the only reason there are right and wrong places is to avoid duplications of threads/questions/answers.
Having said that, I wonder if your specific question might not have a generic answer that "belongs in the marketplace" so to speak.
As I understand things, no operating system truly deletes files, they just mark the space as available. In windows, this would commonly be by repacing the first character of the file name with the "underscore" character "_", that prevents normal software from recognising it. If there is malware that relies on this subtrefuge, it can be eliminated by software that "wipes" the blank (available) data areas of your drive. I recommend doing this as a general security precaution.
Your personal problem is slightly different, however..............you must be running Windows Me/2K/XP that has the fancy spacewaster called windows recovery installed (you have a folder "_recovery"....hah!...the dreaded underscore). If something gets into this system recovery folder, it cannot be deleted by normal methods and by AV or other protection software............this really should not be a problem unless you actually execute the restore facility, as the malware should effectively be quarantined until such time.
Please check out the PC-cillin or McAfee Av sites for the special instructions on how to remove viruses from operating systems that feature this recovery system.......others probably have it as well? Sorry I don't know the answer off the top of my head as I have never let malware get that far.
Unfortunately, I don't think that this will solve your actual problem, as stuff in the recovery folder should be inert?
I would recommend trying the following:
Obtain and run AdAware 6 from lavasoft.
Obtain and run SpyBot Search & Destroy
Get a trial of "Pest Patrol" and run that.
Go to the PC-cillin website and run "housecall" online AV scanner.
Run scandisk in "safe" mode, and do a full check (disk surface as well)
Defragment your drive
If this does not work, I am beginning to suspect your Registry may be corrupted..please let me know.......
OH.......and I think that you might owe me a recipe?
August 10th, 2003, 04:56 AM
Upon completion of said task I'll write the recipe for you two, since I did garner two responses... now which is it? Do you want a Vegetarian Recipe or Carnevore (technically omnivore) recipe?
August 11th, 2003, 06:32 AM
... um, he he he
My computer will not allow me to run scan disk at all... even in "Safe Mode" I called the guy who built the thing for me and he told me to bring it in and he'd fix it, I guess that means he's gonna wipe the whole thing and re-install Windows. Thanks for your help, and the recipe will be coming forthwith.