More Countermeasures

[nihil]

Hi Folks, Here are a few more potentially useful “free” utilities.

I am afraid that I tend to take a pretty simple view of life, and bundle things into two main categories:

1. Security….access rights, firewalls, encryption,password protection…and so forth
2. Malware…anything that might get to run on your computer that is not in your best interests (no sarcastic comments about OSes, please)

I know that the two are closely related, so some of the utilities I mention might seem to be more to do with security , however I also feel that they have an anti-malware application, if they prevent it getting in,or working properly if it does.

In my last post I mentioned http://www.wildersecurity.com and an individual called “Javacool”: here are three more offerings from the same source.

MRU-Blaster v1.5 ………..This clears out “most recently used” lists, and the version that I have looks for 24,100 of them. No big deal, you might think, but if spyware and remote access stuff cannot find anything interesting to report, you might well get left alone; anyway it is your personal privacy isn’t it?
I feel that the less User specific information there is on your box, the better protected you are against things like identity theft?

Spyware Blaster 2.5.3…………….seems to do what it says, and also allows you to make a system snapshot to recover from a spyware attack (nice touch?), and offers online updates. Does not cover as many items as Lavasoft’s AdAware 6.0 or SpyBot Search & Destroy, but another opinion might be worthwhile?

ID-Blaster +plus…………this is an interesting one as it sets certain system identification values to null, or randomizes them every 30 seconds (you can change this between 1 & 60). This should confuse spyware and may offer some protection, as correct system information will not be obtained.

ProcRecon v1.5 by Willy Yeo http://webchitect.com/ProcRecon This is a useful task manager type program that works with 32 bit Oses, it should let you catch and kill any malware you find running on your machine, but please BE CAREFUL! It shows what is running, not just questionable items!

Hijack This V1.93 by Merijn (a Dutch contributor). This one specifically looks for browser hijackers where other scumware detectors may not go. It is also useful in that it shows you other stuff you may not want, and scumware that has not been included in other detectors yet.

Please be VERY CAREFUL with this one as it edits the Registry!

You should be able to find it at http://www.spywareinfo.com …a useful link,anyway?

Spider by Ward van Wanrooij. This is an old one and I do not have a link for it on this box, there may well be a newer version around (sorry). It is used with a program called “spiderbite.exe” to delete stored URLs. It defaults to Internet Explorer locations, but can be set to scan whole drives for hidden URLs. It seems to work with IE up to 6.0 and Windows up to Me (both inclusive).

Xen v1.89 by Paul Brown. This is a multifunctional cleaning, anti-malware and tweaking tool, which works with all Windows versions. It can get rid of a lot of “baggage” as well, but I would skip the font cleaning option, as it archives some that a lot of other programs use……..easy to restore them though!

I guess this brings me back to the similarities between malware defence and security. I am not aware of any AV that scans the swap/page file if run under Windows, presumably because of the exclusive file lock. Similarly, the standard “cleaning” tools tend to ignore this file,or only partially clean it, even though it can contain all sorts of sensitive data such as unencrypted passwords,credit card info and so on. I suspect that this is a greater danger if you specify a fixed swapfile size, as natural overwriting would tend to be slower, and sensitive data could hang about for some time.

If I understand the issue correctly, Windows locks the swapfile when it boots, and starts to use it immediately. If you have specified a dynamic swapfile then cleaning empty space will delete a part of the previous swapfile, but if it is fixed then I don’t think it would be cleaned at all. I would expect Windows to come up with some sort of access violation message?.

I am not aware of any malware that currently uses this exploit, but it seems that it might be possible to embed something in the Swapfile, and invoke it during the next re-boot, or at least extract sensitive data ? There would be an obvious danger here if someone gained illicit access to your machine, either physically or remotely. (paranoid?…moi?)

Scorch v1.02 by Iolo Davidson and MCP WipePro+ from Marathon Computer Press may help? Unfortunately, they both require DOS.

The latter can be obtained from http://www.marcompress.com and contains quite a bit of useful info. It also has a link to Peter Gutmann’s article, for those interested in really secure deletion of stuff.

I guess that’s all for now…….. Be safe….Stay safe

johnno

BTW.....I don't look on this as a tutorial myself...just sharing ideas and info...I have more: when I have finished unpacking (just moved house) some of which I consider to be "proper" tuts...guess I'm just another dinosaur looking for a place to die

[Animator]

Nice links, to comment on your pagefile piece, to clear the pagefile at shutdown at a NT or 2k system, check this link: http://support.microsoft.com/default...b;en-us;182086
for XP http://support.microsoft.com/default...b;EN-US;314834

This will make your system wait for *hours* at a reboot while it is "clearing" the contents of the pagefile but extracting something at next boot is (presumably) not possible.

[SirSub]

http://www.fsm.nl/ward/
URL for spider

[foxyloxley]

Once again, I know it's flashing.
But I'm reading tut's on countermeasures, and tonight I've found these by nihil. These aren't the only ones found, and I'm aware that there are probably 1 or 2 in the rest of the archives. I'm just asking that you don't neg me for doing some research ?? anyway, I am reading through this lot and I was wondering if you (nihil) had put these into any specific order of merit ?? from my use of the links, all I can determine is that a lot of these sites do a similar job. Or do you advocate ? using that which you find easiest ? I believe that I could PM you, however I noted that you are 'watching' these threads.