CERT, just released their "Windows Intruder Detection Checklist" from the article :
"This
document outlines suggested steps for determining whether your Windows
system has been compromised. System administrators can use this
information to look for several types of break-ins. We also encourage
you to review all sections of this document and modify your systems to
address potential weaknesses."
I find it a well summarized checklist, perhaps the first thing that I looked up when going through it was the rootkits section
given the topic. It does provide links to free tools, but I feel they
could have extended to topic a little bit. Overall, consider going
through it. Another checklist I recently came across is the "11 things to do after a hack" and another quick summary on "10 threats you probably didn't make plans for".
Rootkits
are gaining popularity, and with a reason -- it takes more efforts to
infect new victims instead of keeping the current ones, at least from
the way I see it. In one of my previous post "Personal Data Security Breaches - 2000/2005" I mentioned about a rootkit placed on a server at the University of Connecticut
on October 26, 2003, but wasn't detected until July 20, 2005, enough
for auditing, detecting attackers and forensics? Well, not exactly,
still something else worth mentioning is the interaction between
auditing, rootkits and forensics. There's also been another reported
event of using rootkit technologies for DRM(Digital Right Management) purposes, not on CDs,
but DVDs this time, so it's not enough that malware authors are
utilizing the rootkit concept, but flawed approaches from companies
where we purchase our CDs and DVDs from, are resulting in more threats
to deal with!
Check CERT's "Windows Intruder Detection Checklist" and if interested, also go though the following resources on rootkits and digital forensics :
Windows rootkits of 2005, part one
Windows rootkits of 2005, part two
Windows rootkits of 2005, part three
Malware Profiling and Rootkit Detection on Windows
Timing Rootkits
Shadow Walker - Raising The Bar For Windows Rootkit Detection - slides
When Malware Meets Rootkits
Leave no trace - book excerpt
Database Rootkits
Rootkits and how to combat them
Rootkits Analysis and Detection
Concepts for the Stealth Windows Rootkit
Avoiding Windows Rootkit Detection
Checking Microsoft Windows Systems for Signs of Compromise
Implementing and Detecting Implementing and Detecting an ACPI BIOS Rootkit
Host-based Intrusion Detection Systems
Forensics Tools and Processes for Windows XP Clients
F.I.R.E - Forensic and Incident Response Environment Bootable CD
Forensic Acquisition Utilities
FCCU GNU/Linux Forensic Bootable CD 10.0
iPod Forensics :)
Forensics of a Windows system
First Responders Guide to Computer Forensics
Computer Forensics for Lawyers
Technorati tags:
security, information security, forensics, rootkit, security breach, CERT
Wednesday, February 15, 2006
Detecting intruders and where to look for
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com