tag:blogger.com,1999:blog-9518042.post111099815160364871..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: HOW TOs, part deuxUnknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9518042.post-1111579880500360612005-03-23T07:11:00.000-05:002005-03-23T07:11:00.000-05:00Adam,Thanks for the comment...that's a little more...Adam,<BR/><BR/>Thanks for the comment...that's a little more explicit and definitely provides food for thought. <BR/><BR/>I'll have to check out the 2600 article you're referring to...I have to say that I stopped reading that magazine because the articles simply weren't all that well written. One of the things I look for in writing, and strive for in my own, is repeatability. The article has to be written well enough such that it can be repeated and verified.<BR/><BR/>How about this...could you provide your thoughts on this as a starting point?<BR/><BR/>Thanks,<BR/><BR/>HarlanH. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1111090077194560442005-03-17T15:07:00.000-05:002005-03-17T15:07:00.000-05:00Last night I read a article in the latest 2600 (Vo...Last night I read a article in the latest 2600 (Vol. 21 Num. 4) called <I>"Hijacking Auto-Run Programs for Improved Stealth."</I> The idea is to scan the registry run keys for programs, then replace one of the auto-run programs with malware which when run will also start the legitimate program. I figure it might be easier for some people to use an executable binder, but since I'm not familiar with exe binders I can't say if there would be any quirks that would make it more or less stealthy.<BR/><BR/>I wouldn't mind seeing an analysis and how-to of any ways you can think of to counter this new (AFAIK) method of starting programs. Not finding any suspicious registry auto-run keys was somewhat of a relief, I seems we're going to have to investigate that and the running processes a little more thoroughly now.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1111058443773822662005-03-17T06:20:00.000-05:002005-03-17T06:20:00.000-05:00DJ,
Thanks for the comment, but I think you just ...DJ,<br /><br />Thanks for the comment, but I think you just wrote your own HOWTO! ;-)<br /><br />That's the way most folks rule out known good files...create hashes of the files and store those hashes where they can't be modified. Then, at some later point, re-compute the hashes and compare those to the saved values.<br /><br />The fact is that this technique is used extensively by law enforcement...I can speculate as to why it's not used by your regular Joe Admin, but I think you and I and everyone else will come up with the same Top Ten excuses. <br /><br />And this technique is still useful, despite the recent hype surrounding the MD5 and SHA-1 hashes.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1111031129020071992005-03-16T22:45:00.000-05:002005-03-16T22:45:00.000-05:00Perhaps some info on how to rule out good files as...Perhaps some info on how to rule out good files as opposed to rouge files using a hash comparison of known good values? I don't understand why this isn't used more for this in alot of the tools that are coming out but I imagine you'd have to have a pretty large database of known good apps and OS files like we use in the forensic communityAnonymousnoreply@blogger.com