One of the most crucial single steps you can take to eliminate this type of attack is using secure keys.  It takes a mere minute or two to generate and once in place and configured, no matter how hard they try, they will not get in without your proper key.  In /etc/ssh/sshd_config file you want to change:

PermitRootLogin no

PubKeyAuthentication yes

PasswordAuthentication no

Generating an SSH key is simple, from a command line interface you can type:

$ ssh-keygen

It will ask you where you want to put the key, the default setting is a safe setting. (/home/<user>/.ssh/id_rsa)

It is kosher to use a password and safest practice! It is ok however to leave it blank however you want to ONLY transfer the public key to where you want to use it over an encrypted connection.  Also make sure that it doesn’t get to a public place that will be copied by anyone, such as a shared computer at a library, etc.

The only file you need then is the id_rsa.pub and you’re set.  Copy that file to your .ssh folder wherever you want to access your computer remotely and you’re all set.

There are plenty of great tools available too in case you want to keep password login functionality.  Utilities such as ‘denyhosts’ is a great program that watches your log file for brute force attempts and puts their location into a deny hosts file so they can no longer attempt to login.

That’s it for now, time does not permit for more details. I hope this helps all you out there with insecure ssh settings!

It is available by searching through http://www.rootkit.com/ for ARK (Anti-RootKit).

I used that coupled with rootkit unhooker to locate, extract and eliminate some rootkits. I have recently discovered that this may not be enough and that there are still symptoms in a few systems i’ve analyzed that have “hooks” but no method i’ve used or other developers i’m working with have used have illuminated them.

On to my latest techniques.
I started a full memory scan of a system that ARK software is not able to either run or scan on. This memory scan is being run using Memoryze. Here are the articles I am following to do so:

http://www.openrce.org/articles/ – The First article on list: Memoryze Memory Forensics Tool

Memoryze is a very awesome utility because it dumps your entire memory with no bias! As follows I have saved the xml data to the installation folder where Memoryze resides and run the scan as they said. Once done I will be using Mandiant’s (the developers of memoryze) free audit viewer application available here with a signup:

http://www.mandiant.com/products/free_software/mandiant_audit_viewer/

Once I have this memory dump setup, i hopefully will get some really good results from it. Once I have fully implemented and utilized this and have a firm grasp on the technique I will provide another writeup here about my findings. My plans, should this be a great success, will be to setup automated dumps to be able to scan, upon which I will write some automated scripts to scan each dump on as many servers as needed for key factors and email a list so as to be able to track this stuff quickly and hopefully prevent it’s spreading!

I am in the works, though it is far off, of developing an anti-virus software.  I have developed a database and am still tweaking and modifying it to fit the needs. I will post another article in regards to this software once I have an online demonstration available.  It will first allow you to submit files and auto-check these files for infections.  I’ve seen some very very deep rooted viruses and my goals are to help locate and remove these viruses through advanced techniques.  The software will have the ability to “profile” viruses that are found in the wild and put this in an easily searchable database.  Right now I have 2 extremely rare, and extremely difficult to uproot viruses totally profiled in the database.

Once I have the online services functional and available for use I will work on developing daemons (background software) that will run on UNIX as well as Windows servers/desktops that will monitor, scan and search for these deep rooted files as well as typical exploits and malware. Hopefully this will prove effective!

I have included many fields in the database system, however here is a small example of some information gleaned from what i’ve discovered so far. This is a result set of files, checksums and sizes that can help identify malware as queried from the MySQL Database back end.

The file name that I discovered it under is pt.exe however it disguises itself in many different forms.  It is a VERY tricky virus and because of my findings Symantec has updated their virus definitions to discover this virus, I have had no such luck getting ahold of other anti-virus vendors, however I believe they will follow symantec’s steps soon.

The virus installs a hidden service called RPCEncSvc which looks like a legit service if you can even find it… It claims it’s a microsoft file however Microsoft is still disecting it.  Here are the symptoms of an infected system:

• Fully consumed system resources but task manager memory for the processes doesn’t add up in the process list.
• Slow response times.
• TCPView shows a <unknown process> listed making connections to a server at theplanet.com hosting.
• Your system bluescreens with a faulting module as: dmconfig.sys
• Screen flicker as though you hit print screen 1000x as fast as you can

The file pt.exe hides itself from the windows api so you cannot see it unless you boot the computer into safe mode.  When you do, run an md5 checksum on the file it will be residing in C:\Windows\ or %SYSTEMROOT%.  This is the md5sum that I have for the file:

• f79bed3e53cc2049449eae6ecb778ed6  pt.exe

In order to discover what was causing the issues I was seeing, I needed to use sysinternals from microsoft.com

Using tcpview.exe, procexp.exe, procmon.exe, and strings.exe I was able to profile the virus and propose methods to remove it.

It just goes to show that even the latest greatest in antivirus isn’t enough to protect your computer!  Switch to linux!

I will be posting more as I hear word from Microsoft and explore more about this virus.

xf86MapVidMem: Could not mmap framebuffer (0xdf000000,0×1000000) (Invalid argument)

This occured during gdm (gnome display manager) startup.  There was obviously an issue mapping video memory accross the virtual system.  Let me save you all the trouble.  It is SOO simple, and it applys to most systems I know… If you see this error in a Xen environment it will almost guaranteed be resolved by a simple addition to you kernel line entry for Grub. It needs to limit the memory, in my systems case I have 2048MB of memory (2GB Ram).  I have yet to try out adding the manual limit to 2048 but I did set dom0_mem=2000 and it works flawlessly.  Here is what my final line looks like (located in file /boot/grub/menu.lst):

kernel          /xen-3.2-1-amd64.gz com1=9600,8n1 console=com1,vga dom0_mem=2000M

Follow all the other instructions for setting up your Debian 5.0 Xen system and you are good to go.   You may have been wondering, what does this have to do with security?  It may not be directly related, however it is definitely a STRONG link to security.  Obviously if we setup a virtual system, we can build them all day long.  We can setup stand by systems so if we hose one, we have another ready to jump in.  The biggest advantage is, you can put Windows into a sandbox, run whatever you want, and if you end up getting virii, bloatware, etc, you can start anew.  Now there are obviously some things you don’t want to do, such as setup a virtual system and throw all your private information and sensative data on it and then go run ar ound carelessly.  The advantage is however, if you DO manage to get a virus no matter how careful you are, you can stop the virtual machine, build a new one quickly or start up your “cold spare” and open the old system up as a “virtual disk” and pull all your important information off and even find out how you got compromised to begin with.   The possibilities are limitless and it all starts with some safe practices!

Here is a quick fact:

Did you know that in order to keep a windows computer secure it’s not sufficient to have a single antivirus software installed on your computer? Software like Nortan Antivirus and Macafee do not sufficiently protect you.  Even their full blown suites of software do not give you adequate protection.  I have cleaned countless computers that have had over hundreds of virii on them despite having an up to date virus database and latest patches from Norton and any other name your flavor antivirus.

In every case that I have worked with, computers with Norton or Macafee or most major PAID antivirus software were often noticeably 2x slower than they were once the software was removed, this is prior to virus removal.  In many cases Norton slows your computer down more so than the actual virii that it was “designed” to protect!

Here are some quick solutions to help protect your computer:

Install the following FREE software:

• Firefox (latest)
• Adblock Plus Firefox Plugin
• MalwareBytes Anti-Malware
• Avast Antivirus

There are many other things you can do but just these 4 simple applications will nearly guarantee your safety from virii while perusing the world wide web.