Last Updated: 2007-11-21 01:21:34 UTC
by Kevin Liston (Version: 1)
Holiday/Family Incident Response Why and How
Apologies in advance that this is Windows-centric.
Many of us are going to visiting with friends and family over the next couple of months while celebrating a number of year-end holidays. Often, we are tapped for on-site tech-support duty in exchange for holiday treats.
Yesterday George posted a request for what's in your holiday/family incident response toolkit. Overnight I collected the response in the hopes to present a useful and organized list.
Incident response under these conditions can be way harder than what one encounters at their day-job. The builds are non-standard, there are rarely backups to rely on, the data are irreplaceable (personal financial data, photographs, genealogical project, etc.) The stakes are often higher.
The response methodology is similar to what you'd run into at work:
- Lessons Learned/Prevention
Hopefully that was done last year when you put on AV, firewalls, and anti-spyware. This year, the root-kit detection tools are more widely available so it's a good time to update your jump-kit and your framework
The first step is an interview with the machine user. You should ask things like:
- "Have you patched recently?"
- "Is the machine running slowly?"
- "Getting a lot of pop-ups?"
Follow the interview with an inspection to verify that the AV is present, running, and up-to-date. Ensure that the OS is fully patched. Peek at the hosts file. See if there is reason to suspect that the machine is compromised before you start tearing into it.
Should you determine that the machine has been compromised, it is time to start backing up the important files off of the machine. The only sure approach to cleaning a system is to rebuild it. There were many spyware/virus cleaning tools submitted, but I consider them useful only in the Identification phase to determine if the machine has been compromised. I personally do not recommend them for reliable system cleanup.
If the system was properly secured last time, and no ill has come of it, then congratulations. But your work is not over. This final stage is the most important stage in incident response. Go over what you found in your investigation, point it out, and provide a solution. No Anti-virus? Put one on. No backups? Make one. Firewall not enabled? Enable it. This is the point where you provide additional instructions, set-up an ongoing tech-support option (if you're brave/generous enough,) and suggest alternatives (say, move them from IE7 to Opera or Firefox-- which have their own issues so you have to carefully consider the consequences of that.)
I broke the tools down into the following categories:
- Frameworks - how one deploys the tools to the system
- System Analysis
- Malware Analysis - a subset of System Analysis tools focused to analyzing the malware
- Network Analysis
- Registry Cleanup
- Remote Support
- Browser protection
CD vs. USB
How should you transport your tools to the site? There are a lot of good arguments supporting the use of burned CDs and USB drives.
- You can leave copies behind for them to use
- It's hard to infect them
- Capacity - a trade-off can be made between capacity and expense by switching to DVD
- Flexibility - you can write to them
- Make nice gifts
- Risky, if you don't write protect them
- Costlier than CD/DVD media
Of course one can simply run from the CD or USB on the live system. In some cases this is the best first step, especially if you suspect something like a botnet running on the system. Live incident response can quickly identify that the machine is compromised and provide you with the code that's causing the traffic right away (see below for the System Analysis tools one can use in these cases.)
Others prefer to work from a boot-disk when analyzing a system, particularly when a root-kit is suspected. These came in two varieties, Windows-based and Linux-based.
In the windows-based options, people recommended:
- BartPE (http://www.nu2.nu/pebuilder/)
- Ultimate Boot CD (http://www.ubcd4win.com)
- PortableApps (http://portableapps.com/)
For Linux-based options try:
- BackTrack 2 (http://www.remote-exploit.org/backtrack.html)
- Knoppix (http://www.knoppix.org/) take a look for the Knoppix variant knoppicillin
- Helix (http://www.e-fense.com/helix/)
- Ubuntu 7.10 which supports Read/Write access to NTFS partitions
These tools can be used for an initial assessment of the system. One (or more) of these should be left installed on the system when you leave. There are plenty of great commercial solutions. I'm only listing free solutions today:
- Grisoft's AVG (http://www.grisoft.com)
- ClamWin (http://www.clamwin.com/)
- Avast! (http://www.avast.com/eng/avast_4_home.html)
- Avira Antivir (http://www.free-av.com/)
- Microworld Free AV toolkit (http://www.mwti.net/products/mwav/mwav.asp)
Like anti-virus tools, these play a role in initial assessment of the system, and should be installed on the system when you leave it for added protection.
- Spybot Search and Destroy (http://www.safer-networking.org/en/spybotsd/index.html) the most commonly suggested tool
- Adaware (http://www.download.com/Ad-Aware-2007-Free/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5)
- Sunbelt's CounterSpy Trial Edition (http://www.sunbelt-software.com/Home-Home-Office/CounterSpy/)
- cwshredder (http://www.intermute.com/spysubtract/cwshredder_download.html) a very focused spyware cleaner
- Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html)
- Winpatrol (http://www.winpatrol.com/)
- BOClean (http://www.comodo.com/boclean/boclean.html) which I find to be an interesting little tool
- PC Tools Spyware Doctor (http://www.pctools.com/spyware-doctor/)
- Runscanner (http://www.runscanner.net)
We did not have a lot of these tools last year. They may turn up things that aren't showing up in your other scans.
- Sysinternals RootkitRevealer (http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx)
- F-Secure Blacklight (http://www.f-secure.com/blacklight/)
- GMER (http://www.gmer.net)
- AVG Anti-rootkit (http://www.grisoft.com/doc/download-free-anti-rootkit)
- IceSword (http://www.antirootkit.com/software/IceSword.htm)
- Rootkit Unhooker (http://antirootkit.com/software/RootKit-Unhooker.htm)
- Sophos Anti-rootkit (http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html)
The guys over at RaDaJo (RAul, DAvid and JOrge) Security Blog have an article inspired by George's post featuring Anti-Rootkit tools: http://radajo.blogspot.com/2007/11/anti-rootkit-windows-tools-searching.html.
Burning a copy of irreplaceable photos and other documents to CD/DVD is time well spent, regardless if the system is compromised and needs to be reinstalled or not. They will likely not regret the time put into this important defense measure. Reader Robert suggests that you can avoid a lot of drag and drop effort by using Areca (http://areca.sourceforge.net/.)
There are a tremendous amount of little programs that can give you an eye into what is going on in the system. These are used during the live response stage of your Holiday/Family incident response. Hijackthis was the overwhelming favorite, followed by huge support of the Sysinternals tools.
- Hijackthis (http://www.spywareinfo.com/~merijn/programs.php)
- Sysinternals Process Explorer (http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx)
- Sysinternals Autoruns (http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx)
- Sysinternals TCPView (http://www.microsoft.com/technet/sysinternals/Utilities/TcpView.mspx)
- Sysinternals Procmon (http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx)
- Sysinternals Filemon (http://www.microsoft.com/technet/sysinternals/utilities/filemon.mspx)
- Sysinternals Streams (http://www.microsoft.com/technet/sysinternals/FileAndDisk/Streams.mspx)
- DatFind (http://virus-protect.org/datfindbat.html) an interesting little German batch-file that reports on recently changed system files.
- LADS (http://www.heysoft.de/nt/ep-lads.htm)
- OpenPorts (http://www.topshareware.com/DiamondCS-OpenPorts-download-7334.htm)
- WhyReboot (http://exodusdev.com/products/WhyReboot/)
- Microsoft XP Change Analysis Diagnosis Tool (http://support.microsoft.com/?kbid=924732)
- XRayPC (http://www.x-raypc.com) which has some interesting client/server applications for remote tech support
Use of these tools can occupy a lot of your time and require a fair amount of experience. Russ has offered a helpful write up for a Rapid Malware Response/Analysis process (http://holisticinfosec.org/publications/MalcodeAnalysisTechniquesForIH_McRee.pdf.)
These tools were offered up to take a closer look at the malware that has been found on the system. Using these requires a larger investment of time than many people have while visiting. But for future use, these tools might be handy to have on your own incident response toolkit.
- Mandiant Red Curtain (http://www.mandiant.com/mrc)
- OllyDbg (http://www.ollydbg.de) a freeware debugger for tracing program execution
- PEiD (http://peid.tk) for detecting packers, cryptors and compilers
- WinDiff (http://www.grigsoft.com/download-windiff.htm) for comparing files
- XVI32 (http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm) for hex editing
It is sometimes easier to determine if a system is compromised by looking at the network traffic leaving the system. Especially if you're familiar with protocol analysis. Commonly suggested tools were:
- Wireshark (formerly known as Ethereal) (http://www.wireshark.org)
- Nmap (http://insecure.org/) for scanning the suspected system for backdoor listeners
- SmartSniff (http://www.nirsoft.net/utils/smsniff.html) a smaller packet capture program
A few tools were submitted that promise to clean up the registry and other system files to improve system performance.
- CCleaner (http://filehippo.com/download_ccleaner/) commonly recommended by readers
- EasyCleaner (http://personal.inet.fi/business/toniarts/ecleane.htm)
Some brave and generous people offer remote tech support to their families. They have recommended:
It is not something that I would recommend or personally do. For selfish reasons, I don't look forward to late night tech support phone calls from Aunt Minnie. Nor do I like opening up a remote control panel on a machine that I'm trying to protect.
This was the focus of last years post (how to get all of the updates for Grandma's PC together.) The Offline-Update project (http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml) promises to solve the problem of building your own CD or USB to patch your relatives' machines that have only dial-up connections to the internet. But what about all of those applications on the system? Attacks are moving from OS vulnerabilities to leveraging vulnerabilities in applications like audio players and PDF readers. Secunia offers a program that can inventory and assess the applications installed on the system. Details of this is available at: https://psi.secunia.com/.
Many submissions suggested that they move the user from using IE over to Firefox or Opera. Also, they suggested using McAfee's Siteadvisor (http://www.siteadvisor.com/) and Netcraft's Toolbar (http://toolbar.netcraft.com/.)
Other protection methods
- Ensure that the firewall is enabled and configured properly.
- Enable DEP if it is available
- Tony suggest modifying the hosts file to add further protection (http://www.mvps.org/winhelp2002/hosts.htm)
- Enlist their system to submit logs to Dshield
Kevin Liston (kliston at isc dot sans dot org)