16. Malware Countermeasures 1
So now we’ve discussed different ways of cloaking the malware to get it into your system and different mechanisms for tricking people to do it. But let’s talk now about some countermeasures. There are a number of tools and really actions that can be performed to both detect and hopefully prevent the malware. These tools are discussed over the next few slides but what we’re going to talk about is antivirus personal intrusion detection systems and Personal firewall products. Now you heard me say earlier that antivirus is really kind of dead but for your test it’s not personal IDs definitely something you could take a look at. Intrusion Detection Systems and Personal firewall Products as of service pack two of Windows XP, windows has had a firewall in it.
They put it in XP and didn’t turn it on until service pack two I think is what it was. But at any rate started adding features to it and now it’s a fairly robust personal firewall antispyware Introgen products port and process monitoring software like Fport and TCP view registry Modification Detection Mechanism you could look at tools like Hijack. This was one of the tools that we showed you file System Integrity Tripwire is that’s its claim to fame? What it does is it takes a hash of all of your critical files or basically all your files if you want it to and keeps all of those hashes in a database. If any of those files changes, if it’s a Dll, if it’s an Exe, if it’s a file those really shouldn’t be changing unless we’ve updated them.
It would alert you there are GFIS, Land Guard SIM, some of these kinds of things will tell you that as well. Malware reference sites that we can look at locks off, Symantec McAfee you could also encrypt our local hard drives and I’ll go into detail on that. In that bonus section I was talking about purchase legitimate software, don’t use keygens, all right? And in Windows ten use app locker which will only allow you to use an application that has a digital signature on it. And I’ll talk about that in the next couple of slides because that’s really actually rather important. One of the reference sites that’s a great site is called Bleepingcomputer. com. It has a number of different features.
One of its claim to fame is it shows you all the default ports, auto start, registry keys, filename suspicious capabilities of files. It’ll even show you how to get rid of a virus or Trojan manually. How do we normally do that? Well, we normally have our antivirus do it. What happens if the antivirus can’t clean it, call it, regost it? Well, you could go to the Bleeping computer and it will tell you manually go to this registry key, remove this, delete this file, so on and so forth. So it’s a great site for you to take advantage of. Another countermeasure is monitoring the ports that are open in order for someone to communicate, you have to have a port open so we can quickly reveal what active connections are established using things like Port Explorer, F Port, and TCP View.
So you can see here, this is an old one here the Trojan is running on port 66 66 where we’ve embedded that or injected it into the Dll. And as I talked about before, the countermeasures system, file integrity like Tripwire and GFI’s Land Guard, these are great tools. Tripwire used to be free. Now it’s actually kind of expensive in my opinion. It’s about, I think, $2,500 per server. And I may be awful on that, I’m not absolutely sure, but it’s a long way from being free as it used to be. But it’s a great product. This is the part that I was wanting to actually do a real quick demo on. If you were to go into Windows Ten and go into Windows Defender, it will list for you all of the running applications and it will also list the applications that actually have a digital signature on them.
Mark Rozanovich created a utility called SIG Check and you may be surprised to find out that virtually all of the applications you’re running nowadays already has a digital signature on it. But the ones that don’t are the ones that someone can modify. Now basically say one thing for sure, you will never get a piece of malware with a digital signature on it, basically because it then will lead you right back to the person who sent it out. I think I may have talked about this in the cryptography section, but when the dialog box comes up and it says install this software from Microsoft and has a little checkbox always trust content from Microsoft, it’s basically saying it has been digitally signed by Microsoft.
Would you like to always trust that content? My question to you is, if you check that checkbox, does that mean that any software that you get from Microsoft is not malicious? And I’m really hoping you thought a little bit into this and said no, it doesn’t mean that at all. But now it means you got a throat to choke. That’s exactly what it means because they’re the only ones who could have signed it with that private key, with that digital signature. So they are the ones who are responsible. Consequently, you’re not going to get a piece of malware with a digital signature on it.
So Microsoft, with its new app Locker in Windows Ten, can be configured to not run any software unless it has a digital signature. And almost all software nowadays does have a digital signature on it. But there could be applications that you created in house or some older legacy applications where you can always whitelist those applications and utilize those. But let’s just go ahead and take a look at what this might look like here. So what I’ve opened for you is Assist internal suite and I’m going to just simply type in SIG check and I’ll do C colonbackswindowsystem 32 CMD exe when I press Enter on this, and then it displays what the digital signature for that particular application.
Microsoft created a type of executable called the Portable Executable. Some people call it the PE. And what that does is it allows you to determine what kind of machine you’re running on. So, for example, if you’re running on a Windows 95, Windows 98, it will execute in one way, or if you’re running on a Windows Nt and above machine, it executes in another way. And it has various, I guess you might call them slots or cubby holes in the portable Executable where one of them can be stored a digital signature so that, you know, this came from a particular manufacturer.
17. Malware Countermeasures 2
There’s a couple of other things that I didn’t put into the slide I think you might need to be aware of. Microsoft has come out with something they refer to as a Microsoft Malicious Software Removal Tool. And basically what you’re going to do is run it and give it a particular scan type. A quick scan, a full scan, a customized scan. What this does is this actually will scan looking to see if any of the Microsoft files have been manipulated so it knows the various hashes and digital signatures and what they should be. If something’s not quite right, it will alert you sometimes if you have what’s called a rootkit, sometimes when you have a rootkit, it will actually skip over this type of tool.
So what this will do is if you do a full scan or customized scan, it will actually write the software and have you reboot your machine into real mode. So this is basically Dos mode and it can’t hide in that mode and it’ll find anything that’s there. This is the reason a lot of times that whenever you get a patch on Patch Tuesday, microsoft patches your system and it has to reboot and it says, don’t turn off your system while it’s doing this, and then maybe it will reboot again. And while it’s doing that it’s running in real mode or in ring Zero, updating certain things and checking certain things that it wouldn’t have access to otherwise from Ring Three. So I could just simply go through this quick scan to see if I have any files that are infected and so on, and I’ll go ahead and move this off here.
We’ll check back on that later. There’s other countermeasures where Windows will give us the capability to do restriction policy. A software restriction policy is simply a set of rules to control which programs can be run by a user. I remember back in the Windows 95 and Windows 98 days, it was really popular for people to run Solitaire and they finally took that out of the production software. But if you simply renamed Solitaire to something other than Saul Exe, it would still allow it to run. Well, unfortunately now they’ve kind of defeated that because they create hash rules for all known file types and the four categories for hash or certificate of file path, Internet Security Zone and so on.
So it’ll typically catch you. Now let’s talk about what might happen if Patch Tuesday rolls around. We install a piece of software and it breaks something. If you guys have been around in the Windows Nt days, they had a service pack called Windows Service Pack Two for Nt. My gosh, it broke more things than it fit. If you put service Pack two on it, you had to fix it with service Pack three. It was just absolutely ridiculous. Well, they’ve gotten a lot better at this now, but still, there are things that when we patch things that stop working. And let’s say for example, it’s a piece of software that’s in our production system and we have to have it. There’s no other way that we can function without this.
So what do you do? Not patch your system? That becomes kind of a perplexing argument, doesn’t it? On one hand, somebody could use this vulnerability that everyone knows about because as soon as Microsoft announces it to the world, every single nefarious person in the world is going to try and develop something they can use with that. But if you apply the patch to stop that, it stops one of your applications from working. Okay, so you call the application manufacturer. Yes sir, you’re right. We’re going to have that fixed first quarter of next year. Well, I can’t wait that long. So what do you do? Well, most businesses, they’ll simply go unprotected. But there is another option. There is an option of a hardware based malware detector.
This is actually something that sits upstream of your server, upstream of your web server or whatever it might happen to be. And it will look for signatures of malware. Okay. And it’s constantly being updated. It actually is quite expensive. I believe. Last I looked at this, it was about $18,000. But it does protect quite a few servers and stuff, so maybe the price isn’t that bad. So there are some ways of being able to detect yourself. Now I did finish my scan result and says that no malicious software was detected. So I guess that’s good then. Finally, there’s one last countermeasure user education. It’s extremely important to inform end users about the dangers of running software obtained from untrusted sources, especially email attachments.
We know all too well about Wanna Cry and how many people that it crippled and did all kinds of damage to it, instead of having users simply read and sign off of the company usage policy. Do a face to face meeting. And I’m a huge proponent of this because it actually worked for me. So bottom line is, remember, there’s no patch for stupidity. You can’t just put a service pack on a person. You can’t tell somebody don’t do it and they just not do it. Unfortunately, we’re dealing with educated workers these days and you have to really tell them why they shouldn’t do it. Now maybe that would work in the military, but it generally doesn’t work in the workplace these days.
