Wednesday, March 16, 2005

HOW TOs, part deux

Well, about the only thing I've gotten back with regards to the HOW TOs is stuff about the Registry. That works out well, as I'm already working on stuff for a presentation I'll be giving in June.

Anything else? If you have an idea, please be specific.

Also, there's nothing wrong with sending me a link to one you've written. ;-)

4 comments:

Anonymous said...

Perhaps some info on how to rule out good files as opposed to rouge files using a hash comparison of known good values? I don't understand why this isn't used more for this in alot of the tools that are coming out but I imagine you'd have to have a pretty large database of known good apps and OS files like we use in the forensic community

H. Carvey said...

DJ,

Thanks for the comment, but I think you just wrote your own HOWTO! ;-)

That's the way most folks rule out known good files...create hashes of the files and store those hashes where they can't be modified. Then, at some later point, re-compute the hashes and compare those to the saved values.

The fact is that this technique is used extensively by law enforcement...I can speculate as to why it's not used by your regular Joe Admin, but I think you and I and everyone else will come up with the same Top Ten excuses.

And this technique is still useful, despite the recent hype surrounding the MD5 and SHA-1 hashes.

Anonymous said...

Last night I read a article in the latest 2600 (Vol. 21 Num. 4) called "Hijacking Auto-Run Programs for Improved Stealth." The idea is to scan the registry run keys for programs, then replace one of the auto-run programs with malware which when run will also start the legitimate program. I figure it might be easier for some people to use an executable binder, but since I'm not familiar with exe binders I can't say if there would be any quirks that would make it more or less stealthy.

I wouldn't mind seeing an analysis and how-to of any ways you can think of to counter this new (AFAIK) method of starting programs. Not finding any suspicious registry auto-run keys was somewhat of a relief, I seems we're going to have to investigate that and the running processes a little more thoroughly now.

H. Carvey said...

Adam,

Thanks for the comment...that's a little more explicit and definitely provides food for thought.

I'll have to check out the 2600 article you're referring to...I have to say that I stopped reading that magazine because the articles simply weren't all that well written. One of the things I look for in writing, and strive for in my own, is repeatability. The article has to be written well enough such that it can be repeated and verified.

How about this...could you provide your thoughts on this as a starting point?

Thanks,

Harlan