Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: London bombing trojan, update on system monitoring attempts, Updates from Microsoft coming SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
London bombing trojan, update on system monitoring attempts, Updates from Microsoft coming
We have a collection of updates for you today. 3 fixes coming from Microsoft, use of the veritas flaws and more harrowing tales of my attempt to keep track of what my system does.




Microsoft updates coming


Microsoft has stated that they will be publishing three security patches on July 12th. Two for Microsoft Windows and one for Microsoft Office. At least one of the Windows updates is a Critical priority and the Office update is Critical as well.




MItM tool released for MS RDP vuln


There is now a tool that can exploit he Microsoft RDP man in the middle vulnerability from early June. There is no patch available for this though SP1 for Windows2003 should fix it. You do actually have to be able to be in the middle of the connection to make the tool work.




Compromises being reported from Veritas flaw


We have gotten a number of reports of systems being compromised via the Veritas remote agent vulnerability, if you are one of those who haven't yet patched your systems, you might want to get around to it.




US-CERT warns of targeted trojan email attempts


US-CERT has published a that they have seen an increase in the use of email as a method of spreading trojans. This is something that has been discussed for a while now and appears to be a duplicate of the warning that was sent out via other national CERTs but it is still a good read.




Email virus claiming to be news of London bombing


It seems that someone with no sense of decency has started spreading a virus via email. Consider yourselves warned. :(




More adventures in System monitoring


Last time I was on duty, I posted a rant about my frustrations with monitoring the state of my system and having confidence that I knew everything that was executing and what it was doing. In response I got a number of excellent suggestions and pointers to tools to try.


Since then I've tried a number of different products and am quite pleased to announce that although I still don't have as much visibility (and more importantly, clarity) into what my system is doing as I would like, I have managed to make background tasks take up enough system resources to cause a system with a 1.6GHz processor and a GB of RAM to crawl. And interestingly enough, it seems that battery life when in _standby_ mode drops dramatically as well.


I mentioned a couple of the tools I was going to try in my rant. Since then I've given up on all of them. Xintegrity had a nice interface but kept taking 6 hours to do a complete system analysis and then crashing near the end of the job. So much for that. Osiris is an excellent tool and had a good baseline for Windows XP, but it really didn't give me the sort of information I was looking for.


The two primary tools that I've found and am using consistently are:
and . I've started using the NoScript Extension for Firefox and really love it though the "allow scripts temporarily" seems buggy as it keeps causing Firefox to crash.


All Seeing Eye is a general system monitoring tool, it watches processes, the system startup, DLLs, log files, BHOs, ActiveX, the registry... it does tons of stuff. Unfortunately, it doesn't give a lot of information about what any changes may mean which leaves you in the position of trying to figure out how you should feel about the things it is telling you. It also eats at least 5% of your processor and because of the disk monitoring, it eats battery life in a laptop as well. I like it a lot but I don't let it run all the time, especially when not plugged in to the wall.


ProcessGuard is focused on watching the actual processes running on your system directly. This is nice as it warns you any time anything starts and also tells you how it was started and what started it (which is pretty interesting to watch). It doesn't seem to have much impact on the system except to maybe slow it a little (but not enough to notice by itself for most things). The interface is pretty good too. Overall I think it is a good addition.


Did I find what I wanted? Nope! I wanna see all the things being routed through svchost.exe and System processes, and none of these tools made me feel _really_ good about the potential for DLL insertion and other nasty things (though ASE and ProcessGuard are helping some)



If you have more suggestions, let me know. I'll try things out and report back.
Toby

68 Posts

Sign Up for Free or Log In to start participating in the conversation!