Results 1 to 6 of 6

Thread: defensive strategies

  1. #1
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188

    defensive strategies

    Hi folks, I have only been a subscriber for a short time, but I thought I ought to try to make some kind of contribution. I have been studying malware and security for a number of years now, mainly on a “needs to know basis”. A reactive as opposed to proactive approach, I suppose.

    I would like to open this thread for all us newbies, with the hope that all will contribute. I have come across a number of excellent recommendations for security software/tools on this site, and have tried various ones myself, over the years. I think that we could usefully exchange knowledge and experience in this area? The problem with he solutions one reads is that they tend to relate to a particular problem, rather than good security measures in general?

    I will try to keep this short, as I feel that too much information at once tends to swamp people (it also makez mi brane ‘urt)

    So:

    Let’s make a start with what “malware” tries to do:

    1. Amend the Windows Registry……………..I guess that at least 95% of it tries to do that?
    2. Propagate via e-mail…………….got to be 80% plus?
    3. Access address books…………….maybe 70%?

    There are a number of other attributes, and I may have two or three follow-up posts “on the stocks”, to deal with these (If I don’t get banned or something)……………What I am hoping to create here is a thread for us to exchange info. And experiences ………………I would hope that it lasts for a week or two.

    FIRSTLY:

    A. You MUST have a modern antivirus software program running. It must scan ALL programs and scan heuristically (try to anticipate malware activity). You MUST keep it up to date…a lot of the new ones will do this automatically.

    B. You MUST have a personal firewall, if you are accessing the Internet. Keep this up to date, as in A. above.

    These are what I call “level one” defences.

    OKAY…this is for single machines only………..network stuff must come later.


    SECONDLY:

    Let us address the three malware activities I have introduced so far……………..

    The Windows Registry………I recommend using Registry Protector from diamondcs.au I believe the program is regprot.exe, and I for one, would not be without it. You are warned if a Registry amendment is about to be made, and given the opportunity to accept or reject. It can be a pain if you load a new application, but, if it needs more than 6 registry entries it is probably no good anyway….

    If you have not loaded new software and this kicks in…you may have a problem…just say “no” and see if what you wanted to happen works. If it doesn’t…just try again and say “yes” at the prompt….and on your own head be it!!!!

    Propagate via e-mail……….OKAY…you have an infected box….do you want to pass it on?

    Try “Mail Control” by Yavin Kaplan (http:www.internals.com)
    This app. Prevents unauthorised sending of e-mail on your behalf (currently SMTP only).
    It also permits you to set rules to allow/deny sending, but use this wisely, as you may negate its functionality.

    VBS Script Executor…………………http://www.astonsoft.com

    A new player in the security market from Estonia (a fellow EC country)…look to have some nice stuff and much more on the boil..so to speak

    Seems to monitor WSH/VM for malicious VBS and JAVA scripts.

    It also monitors for attempts to modify autostart AND ATTEMPTS TO OPEN ADDRESS BOOKS (nice touch!)

    HERE ARE A FEW MORE:

    SpywareGuard from javacool
    http://www.wildersecurity.com/spywareguard.html

    features live update
    helpfile explains how it works
    has forum at http://www.wildersecurity.com


    Scrip Trap from Robin Keir
    http://www:keir.net

    I like this one!…it intercepts potentially harmful programs.
    It will link to your antivirus program
    There is a helpfile that explains how it works…


    WinPatrol from BillPStudios
    http://www.winpatrol.com

    This gives realtime protection
    Good cookie control
    Good control tools for startup and active tasks
    AND I LOVE the social engineering…the little dog will make kids aware of threats
    (for those who are interested, I define “kid” as less than 11 years old)

    AnalogX Script Defender

    OKAY…I am not sure which side of the fence AnalogX live on, but this stuff seems to work….It allows experienced users to change the code. Try http://www.analogx.com


    I will leave you now…should I proceed with this?………………….it is not a tutorial….just the start of a thread?

    Be safe, stay safe

    johnno

  2. #2
    Junior Member
    Join Date
    Jun 2002
    Posts
    24
    Hey, great info for sure. Another thing that people might want to do is get some anti-trojan type software as well. Ad-aware by lavasoft is one of the leading programs that does this. I've been using it for a while, and never been let down. Also, spy bot is another good one. Both of these do registry scanning, and if updates are performed, can be a great tool for defense.

    One tip that I could offer is to make copies of the registry on a weekly basis, just in case you're totally screwed, it could save your ass. I do this on all the servers that I take care of, and has helped more than once! It's easy to script. All leading backup programs can backup the system state, including native tools such as ntbackup.

    Justa thought.

    Great post.
    ----------------------------------------------------------------
    \"First you get the sugar, then you get the power, then you get the women\"
    ----------------------------------------------------------------

  3. #3
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    *Copied to Tutorials*

    Some nice info

  4. #4
    Banned
    Join Date
    Jul 2002
    Posts
    877
    I've found p2p worms to be more common then anything else so I would also suggest renameing (Or atleast highly monitoring and auditing) FTP shares such as:

    C:\program files\bearshare\shared\
    C:\program files\eDonkey2000\incoming\
    C:\program files\kazaa\my shared folder\
    C:\Program Files\Morpeus\My SharedFolder\
    C:\program files\kazaa lite\my shared folder\
    C:\My Downloads\
    C:\Program Files\Grokster\My Grokster\
    C:\Program Files\KMD\My Shared Folder\
    C:\Program Files\ICQ\Shared Files\
    C:\Program Files\limewire\shared\
    C:\Program Files\winmx\shared\
    C:\My shared folder\

    ...ummm or you could just completely get rid of all p2p shares and other file shareing stuff. As a matter of fact you might as well get rid of all file shareing clients too cause theres no need in mindlessly downloading crap.

  5. #5
    Senior Member DeadAddict's Avatar
    Join Date
    Jun 2003
    Posts
    2,583
    Thanks for the information this will come in handy one day

  6. #6
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,534
    Again, I know it's flashing !!!
    Just realised the home page layout changes when you enter a thread !! So, for most of you , there will be the urge to teach me a lesson ?? However, please remeber that you were a Noob once, and I am doing my research on security and countermeasures.
    so now I'm in my SIXTIES FFS
    WTAF, how did that happen, so no more alterations to the sig, it will remain as is now

    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •