Botnet Eavesdropping: Inside the Mocbot (MS06-040) Attack
-
FlyingPenguin
- Flightless Bird
- Posts: 32784
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Botnet Eavesdropping: Inside the Mocbot (MS06-040) Attack
Christians warn us about the anti-christ for 2,000 years, and when he shows up, they buy a bible from him.
interesting article, personnally the best way to secure yourself against these attacks is to only open pages and email that you kno are safe, all my emails are setup so i only recieve mail of people on my list. and i avoid any websites that i havnt seen before or look dodgy.
Athlon 4400 X2, @ 2.5Ghz, 1.375v validation
Corsair 3200C2 2.5-3-3-6 @ 1T Twinx 2GB,
Nvidia 7800GTX 256MB XFX @ 467/1.28,
A8N Sli Premium ASUS,
250GB Maxtor Maxline 3,
Sound Blaster Audigy 2ZS.
3DMark05 = 8434
Corsair 3200C2 2.5-3-3-6 @ 1T Twinx 2GB,
Nvidia 7800GTX 256MB XFX @ 467/1.28,
A8N Sli Premium ASUS,
250GB Maxtor Maxline 3,
Sound Blaster Audigy 2ZS.
3DMark05 = 8434
-
canton_kid
- Golden Member
- Posts: 1400
- Joined: Tue Mar 26, 2002 5:01 pm
- Contact:
"best way to secure yourself against these attacks is to only open pages and email that you kno are safe, all my emails are setup so i only recieve mail of people on my list. and i avoid any websites that i havnt seen before or look dodgy."
Sounds good but how can you actuallly do that?
I mean I just received an important e-mail from someone I never heard of before, he said my regular salesman was in a accident and would be off work for awhile and he was would be handling my account. Course I checked and it was a real mail, and my sales guy will be fine in time.
Anyway that person would not have been in any list cause I never heard of him before.
And how do you know if a page looks doggy if you haven't opened it yet or been to the site? Anything shows up in search engines! I been to some pretty crappy doggy sites when looking for products I want to order and sometimes they don't even sell anything near what I am wanting but they showed up in the search for the items. How do you know till you get there where your going?
My favorite mismatch I geuss was when I was looking for info on some Bonds, site poped up with woman in chains, not what I wanted to invest in though
Sounds good but how can you actuallly do that?
I mean I just received an important e-mail from someone I never heard of before, he said my regular salesman was in a accident and would be off work for awhile and he was would be handling my account. Course I checked and it was a real mail, and my sales guy will be fine in time.
Anyway that person would not have been in any list cause I never heard of him before.
And how do you know if a page looks doggy if you haven't opened it yet or been to the site? Anything shows up in search engines! I been to some pretty crappy doggy sites when looking for products I want to order and sometimes they don't even sell anything near what I am wanting but they showed up in the search for the items. How do you know till you get there where your going?
My favorite mismatch I geuss was when I was looking for info on some Bonds, site poped up with woman in chains, not what I wanted to invest in though
Canton_kid
spam bot food!
<A HREF="http://www.auditmypc.com/freescan/antispam.html">Anti-Spam</A>
spam bot food!
<A HREF="http://www.auditmypc.com/freescan/antispam.html">Anti-Spam</A>
-
FlyingPenguin
- Flightless Bird
- Posts: 32784
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
More and more I think we'll be seeing some form of Virtual Machine technology be the answer to all this. You'll be browsing and checking mail in a VM system running isolated in software and incapable of infecting the host system.
I already do this with VMWare when browsing questionable sites. When I finish the session, VMWare restores a "snapshot" image and any changes made during that session vanish. Next time I boot up the VM system, I'm back to a clean pristine system.
I already do this with VMWare when browsing questionable sites. When I finish the session, VMWare restores a "snapshot" image and any changes made during that session vanish. Next time I boot up the VM system, I'm back to a clean pristine system.
Christians warn us about the anti-christ for 2,000 years, and when he shows up, they buy a bible from him.
well the email thing, i would of phoned the salesman, and checked. if you want to be able to email me youve gotta either pm me on a forum first or stick my address into msn, and once ive decided ill add you to my list.
and as for sites i tend to go to sites that people use alot and recommend(from ppl who i trust) like fp, blade, ego and everyone else on here. i only browse toms, pca, scan, youtube, and newsgroups.
and as for sites i tend to go to sites that people use alot and recommend(from ppl who i trust) like fp, blade, ego and everyone else on here. i only browse toms, pca, scan, youtube, and newsgroups.
Athlon 4400 X2, @ 2.5Ghz, 1.375v validation
Corsair 3200C2 2.5-3-3-6 @ 1T Twinx 2GB,
Nvidia 7800GTX 256MB XFX @ 467/1.28,
A8N Sli Premium ASUS,
250GB Maxtor Maxline 3,
Sound Blaster Audigy 2ZS.
3DMark05 = 8434
Corsair 3200C2 2.5-3-3-6 @ 1T Twinx 2GB,
Nvidia 7800GTX 256MB XFX @ 467/1.28,
A8N Sli Premium ASUS,
250GB Maxtor Maxline 3,
Sound Blaster Audigy 2ZS.
3DMark05 = 8434
-
FlyingPenguin
- Flightless Bird
- Posts: 32784
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Frankly if you're not running Firefox you should disable ActiveX scripting by default except for trusted sites, and then add your trusted sites to the trusted sites white list in IE.
99.8% of all exploits are from ActiveX scripting. IE is just an exploit magnet. Nearly all professional websites will run just fine without ActiveX scripting, and if it requires activeX AND you trust it, you can add it to your list. You shouldn't be running scripts on an untrusted site, PERIOD.
I use Firefox and NEVER see activeX and it doesn't affect my browsing one iota. Once in a blue moon I hit a website that matters to me that requires it, but then I decide if I want to view it in IE or not.
99.8% of all exploits are from ActiveX scripting. IE is just an exploit magnet. Nearly all professional websites will run just fine without ActiveX scripting, and if it requires activeX AND you trust it, you can add it to your list. You shouldn't be running scripts on an untrusted site, PERIOD.
I use Firefox and NEVER see activeX and it doesn't affect my browsing one iota. Once in a blue moon I hit a website that matters to me that requires it, but then I decide if I want to view it in IE or not.
Christians warn us about the anti-christ for 2,000 years, and when he shows up, they buy a bible from him.
-
FlyingPenguin
- Flightless Bird
- Posts: 32784
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Also, I guess this is a good time to discuss how I handle emails.
If you use Outlook or Outlook Express you have to realize that when you open a message - or you see the message in the preview pane - that message is displayed in an IE browser whether you realize it or not (brilliant design philosophy on M$'s part - "Let's take our most insecure product - IE - and incorporate it into EVERYTHING!"). Any email that's composed in HTML could have activeX scripting embedded in it to do all kinds evil things, or use any of a number of known IE exploits (if they're not patched on your system) to force your mail preview window to execute code, take you to a malicious website, etc.
ActiveX scripting is BAD 'kay? As I mentioned in the previous post, you should really REALLY disable it in IE (if you disable it in IE it's also disabled in Outlook and OE). You absolutely, positively, have no need whatsoever for ActiveX scripting in an email message.
I personally bypass the entire issue and use a setting in OE (my default mail client) to "Read all messages as plain text." (Read tab in the OE settings). This strips all the HTML out of any email message and just displays it as plain text. You can't get infected by plain text.
You always still have the option to look at the message in HTML if you really need to (View menu - "View message as HTML" which is only toggled for that one message you have open or previewed and only for that session until you look at another message). Or, better yet - what I do - I open the HTML attachment via the paperclip icon (when you view a message in plain-text, the HTML portion is actually an attached HTML file that shows up as an attachment). This opens the HTML attachment in your default browser - in my case that's Firefox, which has no ActiveX scripting so it's immune to activeX exploits.
Frankly there is just no reason to read emails in HTML. The only people who send me HTML emails are advertisers, spammers, and misguided friends who think I give a rats behind whether they use bold or italics in their emails (I don't, and I can't tell because it's turned off). The only time I do view a message in HTML is if it's an invoice from a mail order company like NewEgg or Dell that I need to print, because it looks a lot better printed from the HTML. Also some of those emails you need to click a link on in order to validate an account with someone don't properly place the link into a text message.
As a convenient by-product, since half of SPAM is sent as HTML only for some bizarre reason (probably badly coded bots that just assume everyone has HTML enabled), with either no plain text or gibberish plain text, it makes a lot of my junk mail stand out like a sore thumb.
Only attachments I ever open are JPG images. Anything else, no way. I don't care if it's the greatest PowerPoint slide show since the creation of the universe, I'm not opening it, but more important it WON'T automatically open. I have to take the extra step to either click on "View as HTML" or open the attachment in the paper clip icon.
Only time I ever open an attachment is if it's a file from a client that they told me to expect, and I don't open it immediately - it gets saved to a temp folder and then virus scanned before I open it. Keep in mind that Word and Excel files can contain macro viruses (more brilliant scripting from M$).
And those of you using a web-based mail client are no better off. Most webmail clients show messages in HTML by default (and since you're already in your IE browser viewing the message....). Most of the better webmail clients allow you to disable HTML. I particularly like Mail2Web.com (which I use to access my own domain's email account when I travel) because it strips HTML by default - it gives you a link to view the message as HTML per session, per message if you want, at your discression.
Paranoid? Hardly. Most serious IT people do what I do, and certainly all security people I know do this and maybe even more.
I can tell you that I do not run active background anti-spyware or anti-virus on most of my personal systems most of the time (systems only I have access to). I want max performance when gaming, and AS and AV apps give you a big performance hit. I have never infected myself. I do have those apps installed, but I use them mostly as on-demand scanners - to scan suspicious files, or scan the system if I suspect something might be wrong. I do run active background scanning on my laptop because I have to pop a lot of client's discs into it.
If you use Outlook or Outlook Express you have to realize that when you open a message - or you see the message in the preview pane - that message is displayed in an IE browser whether you realize it or not (brilliant design philosophy on M$'s part - "Let's take our most insecure product - IE - and incorporate it into EVERYTHING!"). Any email that's composed in HTML could have activeX scripting embedded in it to do all kinds evil things, or use any of a number of known IE exploits (if they're not patched on your system) to force your mail preview window to execute code, take you to a malicious website, etc.
ActiveX scripting is BAD 'kay? As I mentioned in the previous post, you should really REALLY disable it in IE (if you disable it in IE it's also disabled in Outlook and OE). You absolutely, positively, have no need whatsoever for ActiveX scripting in an email message.
I personally bypass the entire issue and use a setting in OE (my default mail client) to "Read all messages as plain text." (Read tab in the OE settings). This strips all the HTML out of any email message and just displays it as plain text. You can't get infected by plain text.
You always still have the option to look at the message in HTML if you really need to (View menu - "View message as HTML" which is only toggled for that one message you have open or previewed and only for that session until you look at another message). Or, better yet - what I do - I open the HTML attachment via the paperclip icon (when you view a message in plain-text, the HTML portion is actually an attached HTML file that shows up as an attachment). This opens the HTML attachment in your default browser - in my case that's Firefox, which has no ActiveX scripting so it's immune to activeX exploits.
Frankly there is just no reason to read emails in HTML. The only people who send me HTML emails are advertisers, spammers, and misguided friends who think I give a rats behind whether they use bold or italics in their emails (I don't, and I can't tell because it's turned off). The only time I do view a message in HTML is if it's an invoice from a mail order company like NewEgg or Dell that I need to print, because it looks a lot better printed from the HTML. Also some of those emails you need to click a link on in order to validate an account with someone don't properly place the link into a text message.
As a convenient by-product, since half of SPAM is sent as HTML only for some bizarre reason (probably badly coded bots that just assume everyone has HTML enabled), with either no plain text or gibberish plain text, it makes a lot of my junk mail stand out like a sore thumb.
Only attachments I ever open are JPG images. Anything else, no way. I don't care if it's the greatest PowerPoint slide show since the creation of the universe, I'm not opening it, but more important it WON'T automatically open. I have to take the extra step to either click on "View as HTML" or open the attachment in the paper clip icon.
Only time I ever open an attachment is if it's a file from a client that they told me to expect, and I don't open it immediately - it gets saved to a temp folder and then virus scanned before I open it. Keep in mind that Word and Excel files can contain macro viruses (more brilliant scripting from M$).
And those of you using a web-based mail client are no better off. Most webmail clients show messages in HTML by default (and since you're already in your IE browser viewing the message....). Most of the better webmail clients allow you to disable HTML. I particularly like Mail2Web.com (which I use to access my own domain's email account when I travel) because it strips HTML by default - it gives you a link to view the message as HTML per session, per message if you want, at your discression.
Paranoid? Hardly. Most serious IT people do what I do, and certainly all security people I know do this and maybe even more.
I can tell you that I do not run active background anti-spyware or anti-virus on most of my personal systems most of the time (systems only I have access to). I want max performance when gaming, and AS and AV apps give you a big performance hit. I have never infected myself. I do have those apps installed, but I use them mostly as on-demand scanners - to scan suspicious files, or scan the system if I suspect something might be wrong. I do run active background scanning on my laptop because I have to pop a lot of client's discs into it.
Christians warn us about the anti-christ for 2,000 years, and when he shows up, they buy a bible from him.
-
FlyingPenguin
- Flightless Bird
- Posts: 32784
- Joined: Wed Nov 22, 2000 11:13 am
- Location: Central Florida
- Contact:
Well the easiest way, by far, is to just download VMWare's Browser Appliance. You'll either need the retail version of VMWare or the free VMWare player.
Just create a folder in the Virtual Machines folder that VMWare creates, and unzip all the files for the Browser Appliance into it. Then run VMWare or the free VMWare Player, select open, and browse to the folder and open the appliance. Add it to your favorites list also so you can make this one click later.
The Browser Appliance is a VM (virtual Machine) that's a ready to go install of Ubuntu Linux with Firefox already installed. Just boot it and you're ready to browse.
I would recommend you create a snapshot after it boots the first time, before doing anything else. This is an image that is made of the VM that can be restored to instantly at any time. Make a snapshot now and you have an image of a clean, non infected install. What I would also recommend is that in the VM's settings you choose to "Restore to last snapshot on shutdown". What I do when I'm done with a session is instead of shutting down the VM normally, I press the "Power Off" button in VMWare which instantly turns off the VM. Next time you turn on that VM, it will go to the snapshot which takes you instantly back to the Ubuntu desktop exactly where you were when you took the snap shot - you won't have to wait for Ubuntu to boot each time (the same way Hibernation works). This also always restores you to a clean OS with nothing in it from any previous sessions.
VMWare has several free open source VMs on their website you can download - different versions of Linux and Free BSD, and other things.
To install a Windows OS in a VM you need to own a copy of Windows you can install. You also need the retail VMWare because the free player can't do new installs of OSes.
On my system I have several VMs:
- A Browser Appliance
- Two WinXP Pro "sandbox" installs (one is SP1 and the other is SP2) which are totally isolated from the host system for experimenting with dangerous stuff like viruses and malware.
- One each of Win98, WinME, Win2K Pro, Win2K Server, WinXP Home, Server 2003 Standard which I use for walking clients through problems on the phone, or to test settings.
- One Small Business Server 2003 and a WinXP Pro running SBS client on their own isolated network to emulate an SBS 2003 office.
The other nice thing about the newest version of VMWare is that you can instantly "clone" an existing VM. This used to be more difficult with earlier versions. Need 5 identical WinXP systems for testing? Set one up and clone it 4 times.
VMware creates VMs that are ULTRA hardware compatible so you won't have driver issues. Each VM you create emulates very standard hardware that any OS has built-in drivers for. Create a VM, boot it with your OS disc in the CD drive and let it install and detect all the hardware, then install VMWare's drivers which allows the VM to smoothly share all devices with your Host system (you just click a menu item and the VM suddenly sees a CD connected to it containing the VMWare drivers for that OS).
Depending on how much RAM you have (the big limiting factor) you can run several VMs at the same time, although more than a couple will have a noticeable effect on overall system performance. I never really need to run more than 2 at a time.
You also need a lot of free HDD space. Each VM needs at least 4Gb and as much as 6Gb. Each VM has a virtual hard drive that consists of several files, each VM is stored in it's own folder in a "My VMWare Machines" folder. On my system I have a seperate 80 Gb partition put aside just for the VMs.
If you want a good explanation and overview of VMware, Steve Gibson did a whole show on it on last week's Security Now Podcast (Episode 53). Worth listening to as a good intro to VMware. http://www.grc.com/securitynow.htm
Episode 50 is also a good intro to the whole concept of Virtual Machines, and he's supposed to talk more about VMs next week.
Just create a folder in the Virtual Machines folder that VMWare creates, and unzip all the files for the Browser Appliance into it. Then run VMWare or the free VMWare Player, select open, and browse to the folder and open the appliance. Add it to your favorites list also so you can make this one click later.
The Browser Appliance is a VM (virtual Machine) that's a ready to go install of Ubuntu Linux with Firefox already installed. Just boot it and you're ready to browse.
I would recommend you create a snapshot after it boots the first time, before doing anything else. This is an image that is made of the VM that can be restored to instantly at any time. Make a snapshot now and you have an image of a clean, non infected install. What I would also recommend is that in the VM's settings you choose to "Restore to last snapshot on shutdown". What I do when I'm done with a session is instead of shutting down the VM normally, I press the "Power Off" button in VMWare which instantly turns off the VM. Next time you turn on that VM, it will go to the snapshot which takes you instantly back to the Ubuntu desktop exactly where you were when you took the snap shot - you won't have to wait for Ubuntu to boot each time (the same way Hibernation works). This also always restores you to a clean OS with nothing in it from any previous sessions.
VMWare has several free open source VMs on their website you can download - different versions of Linux and Free BSD, and other things.
To install a Windows OS in a VM you need to own a copy of Windows you can install. You also need the retail VMWare because the free player can't do new installs of OSes.
On my system I have several VMs:
- A Browser Appliance
- Two WinXP Pro "sandbox" installs (one is SP1 and the other is SP2) which are totally isolated from the host system for experimenting with dangerous stuff like viruses and malware.
- One each of Win98, WinME, Win2K Pro, Win2K Server, WinXP Home, Server 2003 Standard which I use for walking clients through problems on the phone, or to test settings.
- One Small Business Server 2003 and a WinXP Pro running SBS client on their own isolated network to emulate an SBS 2003 office.
The other nice thing about the newest version of VMWare is that you can instantly "clone" an existing VM. This used to be more difficult with earlier versions. Need 5 identical WinXP systems for testing? Set one up and clone it 4 times.
VMware creates VMs that are ULTRA hardware compatible so you won't have driver issues. Each VM you create emulates very standard hardware that any OS has built-in drivers for. Create a VM, boot it with your OS disc in the CD drive and let it install and detect all the hardware, then install VMWare's drivers which allows the VM to smoothly share all devices with your Host system (you just click a menu item and the VM suddenly sees a CD connected to it containing the VMWare drivers for that OS).
Depending on how much RAM you have (the big limiting factor) you can run several VMs at the same time, although more than a couple will have a noticeable effect on overall system performance. I never really need to run more than 2 at a time.
You also need a lot of free HDD space. Each VM needs at least 4Gb and as much as 6Gb. Each VM has a virtual hard drive that consists of several files, each VM is stored in it's own folder in a "My VMWare Machines" folder. On my system I have a seperate 80 Gb partition put aside just for the VMs.
If you want a good explanation and overview of VMware, Steve Gibson did a whole show on it on last week's Security Now Podcast (Episode 53). Worth listening to as a good intro to VMware. http://www.grc.com/securitynow.htm
Episode 50 is also a good intro to the whole concept of Virtual Machines, and he's supposed to talk more about VMs next week.
Christians warn us about the anti-christ for 2,000 years, and when he shows up, they buy a bible from him.
-
canton_kid
- Golden Member
- Posts: 1400
- Joined: Tue Mar 26, 2002 5:01 pm
- Contact:
Thanks FP,
That was very informative and helpful, not that I actually understood it though.
I should when I play with VMware player though.
I should have it in about 3 hours or so if the dialup does not lose connection again
That was very informative and helpful, not that I actually understood it though.
I should when I play with VMware player though.
I should have it in about 3 hours or so if the dialup does not lose connection again
Canton_kid
spam bot food!
<A HREF="http://www.auditmypc.com/freescan/antispam.html">Anti-Spam</A>
spam bot food!
<A HREF="http://www.auditmypc.com/freescan/antispam.html">Anti-Spam</A>