Sunday, February 27, 2011

Software : Tutorial: How to detect unknown malware with WinPatrol

Software : Tutorial: How to detect unknown malware with WinPatrol


Tutorial: How to detect unknown malware with WinPatrol

Posted: 27 Feb 2011 02:00 AM PST

Host-based intrusion detection is a serious consideration for people wishing to stay safe online from as-yet unknown threats.

Knowing exactly what's happening under the hood is also the first step in controlling what your computer does and when. Linux has enjoyed the protection of major open source intrusion detection systems (IDS) for some time.

Windows users have fewer options, but that doesn't mean the threats facing it are any less dangerous. The landscape is now changing so fast that it takes a large and growing online security industry to keep up.

To help gain and keep the upper hand, it's becoming necessary to counter unknown threats as well as trying to spot and stop the known ones. To help, a new class of anti-malware has emerged.

Combining the advantages of an intrusion detection system (IDS) with other software can help detect and block malicious activity, and even clean up after a successful attack.

Detecting intrusions

There are two main types of IDS, which differ in the scope of their protection. A network IDS (NIDS) sits at a strategic point on the network – such as between the internet router and the internal network – where it can see all the data packets as they flow by. It inspects all traffic flowing across, into and out of the network, looking for activity indicating a remote attack.

By contrast, a host-based IDS (HIDS) is installed on each networked computer, and monitors traffic flowing in and out of just that machine. This second type of IDS can be quite specialised, and can monitor individual aspects of the system and its behaviour – such as changes to the Registry.

A protocol-based IDS (PIDS) is an even more dedicated IDS. It's installed on a server (or somewhere it can see all the traffic flowing in and out of the server) and monitors use of the server's specific network connections. It might be installed on a web server protocols, for example.

The detection techniques employed by an IDS fall into several categories. The simplest of these is signature-based. Like most antivirus packages, this tests a huge number of traffic patterns against a large database of profiles generated by known attack types. As with antivirus software, this database must be updated regularly, as new attack signatures become available.

Unlike static virus signatures however, an IDS attack signature has a distinct time element because it needs to understand the order, sequence and possibly even the delays between the packets involved in the attack as they arrive.

Anomaly detection

Anomaly-based intrusion detection is more sophisticated and intelligent. It first establishes a baseline of 'normal' network activity by monitoring network traffic for a while, including the general amounts of bandwidth used, the protocols used, the associated ports, the number of connections and which devices generally connect to each other.

Once in detection mode, the system will compare this baseline to subsequent network traffic patterns. Anything out of the ordinary is considered suspicious.

detected threat

POSSIBLE THREATS: If you find something potentially dodgy on your system, you can view its details and even add a note for future reference so you don't forget

In an application protocol IDS (APIDS), the baseline is even more specific and has to be far more detailed. To be effective, the APIDS monitors the traffic received and transmitted by the network protocol, so it has to understand in depth the way the protocol is being used in order to look for anything that deviates from the way it's normally used.

Regardless of the detection technique used, once an IDS identifies suspicious activity, it can take two courses of action: active or passive. A passive IDS simply detects and logs anomalies in system behaviour and reports them to the user or system administrator.

An active IDS (intrusion prevention system) can respond automatically to the perceived threat by blocking incoming IP addresses, blocking specific applications from transmitting data, blocking potentially malicious changes to the system, and even by preventing code from running.

WinPatrol

WinPatrol has been protecting computers for over a decade, and has just received an overhaul for Windows 7. Although the commercial version has some very useful facilities, the free one is perfectly good for protecting computers on a home network.

After downloading, run the installation executable and click 'Next'. That's all there is to it. At the end, click 'Finish' to run the application and the user interface will appear. If you have audio enabled you'll hear a 'woof' sound.

The main user interface is packed with three rows of tabs, though some are only accessible in the Plus (paid) version of the software. Click the 'Startup programs' tab and you'll see a list of all the programs that start when Windows does.

Although Windows 7 is blindingly fast to boot up compared to earlier versions of the operating system, it can be slowed by this extra load. By selecting a program and clicking 'Remove' or 'Disable', you can temporarily suspend auto-startup of that program, or if it proves to be the one increasing your system boot up time, remove it from the list.

Removal doesn't uninstall the program. If there's anything in this list that you don't recognise, select it and press the 'Info' button. If you're still not convinced that it's benign based on the information, disable it and reboot. If nothing untoward happens, remove it from the list.

The next tab, 'Delayed start', enables you to stagger the startup times of different applications. If you always use a browser first when you boot up and log in, you can add it to the 'Delayed start' tab to make sure that there are no resource contentions, and that the rest of the operating system is up and running before the browser tries to connect to the internet.

Click 'Add', then navigate to the executable for the application. Select it and click 'OK'. Select whether you want the application to start for all users or just you then click 'OK'. Now click the 'Delay options' button. Enter a title for the startup job and a time to wait from bootup to running the application. If the program needs any command line options passing to it, enter these in the 'Parameters' box.

Finally, select the way you want the program to appear – maximised, in a window or minimised to the task bar. Click 'OK' and the name of the delayed startup job changes to the one you entered. Reboot and WinPatrol should implement your changes.

Many people refuse to upgrade to the latest version of Internet Explorer, which means it's the target of all kinds of malicious and potentially malicious browser helper objects (BHOs). These extend the functionality of IE and are loaded when you run the browser. They can also increase the browser's startup time.

They often can't be uninstalled or even seen by normal users – perfect for installing adware and spyware.

Cleaning up IE

Click on the 'IE Helpers' tab in WinPatrol and you'll see a long list of these, plus the browser's toolbar add-ons. If you're irritated by installation programs insisting that you install the Yahoo Search bar, for example, you can remove it here.

The amount of on-screen space taken up by IE's normal toolbars is substantial, without having it further reduced by something you don't want. Select a BHO or toolbar from the list and click 'Info' to learn more. If you don't like what you see, click 'Remove' to delete it from IE and the system.

You'll be asked to confirm your choice before deletion takes place. Malware can also pose as or hijack legitimate scheduled tasks. To inspect these, click the 'Scheduled tasks' tab. Again, click 'Remove' to take any unnecessary or dodgy tasks out of the list.

This and the other two startup tabs are also a great way to clean up a new PC that annoys you with nagware. Now we can move on to the meat of host-based intrusion detection: detecting changes to the system that may indicate the presence of malware, spyware, or adware.

Click the 'Options' tab to configure WinPatrol for detection. Homepage hijacking is finding increasingly sophisticated roles in online crime. With 'Detect Changes to Internet Explorer home and search pages' selected, you'll be notified of any changes to the browser or its configuration.

Detecting changes

The HOSTS file is a throwback to the days before DNS, but it's also the first port of call for any internet-aware program trying to resolve domain names into IP addresses. These programs will use the domain/IP address mappings in the HOSTS file without question, so if this file is changed it can make you believe you're accessing legitimate websites when in fact you're being redirected to malicious ones.

HOSTS

HOSTS FILE: If malware makes changes to the HOSTS file on your computer, it can redirect you to anywhere on the internet without your knowledge

The 'Warn if changes are made to my internet HOSTS and critical system files' option will keep you safe from this form of attack. You can also view the 'HOSTS' file with the appropriate button; Notepad pops up to display it.

The 'HOSTS' file contains a few examples of mappings between DNS names and the associated IP addresses. If you see one without a hash ('#') symbol before it, indicating that the line is edited out, and you didn't put it there, place a hash at the start of the line, save the file and reboot to see if it breaks anything. If not, malware may well be trying to redirect you to a malicious page.

As WinPatrol runs, it creates a log file of events that you can view with the 'WinPatrol log' button. The resulting HTML page gives information about everything that happens on your PC. Pressing the 'Spreadsheet report' button will create a spreadsheet containing the same data. This is written to 'BillP\WinPatrol' in the 'Program Files' folder of your C:\ drive.

One last useful option on this tab is 'Lock file types'. If you've ever been frustrated by legitimate programs changing your carefully modified file associations even when you asked them not to, this option is for you. It prevents such changes from happening.

Tutorial: Windows Event Viewer tips and tricks

Posted: 27 Feb 2011 12:00 AM PST

The Event Viewer doesn't look like a very exciting Windows componment. If your PC is unstable you might use it to check for error messages, but otherwise, well, that's about all. Or is it?

Look a little closer and you'll discover that the tool has all kinds of useful additional capabilities. It can sometimes be hard to find important events using the default settings, but creating a custom view will help you zoom in quickly on the data that really matters, which can be an essential troubleshooting aid.

If you have a network, then you can set up one copy of the Event Viewer to collect events from several PCs, and manage them all centrally.

One excellent feature gives you the ability to run a particular program or task when a given event occurs. If a program crashes you could restart it, for example. If you're short on hard drive space, you could delete your temporary files – whatever you like.

Then there are the secret Event Logs that you may not even know exist, the leftover logs that need to be deleted, the hidden management features and a whole lot more.

Please note, while we're focusing on the Windows 7 Event Viewer here, much of what we're saying also applies to Vista and even XP. Whichever version of Windows you're using, the Event Viewer deserves a much closer look.

The basics

Event viewer

The prime purpose of Event Viewer is to act as a log for various applications and Windows components. Many of these issues don't have an interface, or don't report all their problems and status issues via alert messages, so if you want to find out what's really going on with your PC then it's essential to take a look at the Event Viewer on a regular basis.

You can access the viewer via the Control Panel (go to 'System and security | Administrative tools | View event logs' if you're using Windows 7), but we find it easier to launch the tool directly: click 'Start', type eventvwr.msc, click the 'Event Viewer' link and it will pop up in a second or two.

If you just want to find out more about your PC, then you can expand the 'Windows Logs' section of the tree and browse the Application, Security, Setup and System logs for any interesting looking events.

These logs are presented in reverse chronological order, so the most recent events are at the top and as you scroll down you'll move back in time.

What will you see here? It depends entirely on the setup of your system, but we checked a test PC and came up with many interesting entries. There were detailed error messages for application and system crashes, for instance. If you come home and someone tells you the PC crashed an hour ago, but they can't remember the error message, the Event Log may tell you more.

We found performance-related information, including an Outlook message that said its launch was delayed because of a particular add-on. There were also warnings about four boot drivers that had failed to load. That's information we wouldn't have found anywhere else, and could explain all kinds of odd system behaviour.

Other issues

There were also events relating to the PC startup and shutdown process, installed programs, hardware problem, and many other issues. You wouldn't want to browse the Event Viewer for fun, but if you're having any kind of computer issues then it's wise to give it a closer look – you just might find the clues you need to uncover their real cause.

The problem with scrolling through the main Windows logs is that there are only a few interesting events, and they're masked by a great deal of irrelevant junk. Fortunately the Event Viewer provides several alternatives that will help you zoom in on the data that matters.

Custom view

The Windows 7 Event Viewer, for instance, opens with a useful 'Summary of Administrative Events'. Particularly important event types, such as 'Critical', 'Error' and 'Warning', are listed right at the top and you can expand these to find out more.

Trying this on our test system revealed seven disk errors in the past week. Double-clicking the entry revealed the details, and it turned out one of our drives was experiencing controller errors. Could the drive be about to fail? We're not sure, but at least the Event Viewer has given us a warning so we can back it up.

Another possible option is to expand the 'Applications and Services Logs' section of the viewer. This area contains logs dedicated to applications and areas of your system, such as hardware events, Internet Explorer and Media Center.

Perhaps the most important log here is a little buried, though. Browse to 'Applications and services logs | Microsoft | Windows | Diagnostics-Performance | Operational' and you'll find information about your PC's boot and shutdown processes. Again, everyone will see different things, but when we checked this log on our PC we found a wealth of essential data.

There were events warning us that the Bonjour Service, Function Discovery Resource Publication Service and Orbit Downloader were all causing delays in the system shutdown process. Other events pointed fingers at particular programs for delaying our PCs boot, too – if we were to remove anything non-essential, our system would speed up.

There were general warning events too, such as 'Video memory resources are over-utilised and there is thrashing happening as a result'. If your PC seems slow, or unstable, then this could be a clue. Simply closing some windows could make all the difference, as might updating the video drivers.

As usual, these logs are packed with clues to all sorts of problems, many of which you may not even realise you have. Take a look – it's surprising what you can learn.

Subscriptions

Subscriptions

The Event Viewer isn't only able to reveal issues with your own PC. It can also collect information on Vista or Windows 7 systems all across your network, so you can troubleshoot many problems from the comfort of your own desktop.

To set this up you must prepare the remote computers to forward events. First launch an elevated command prompt on each of these (do this by right-clicking the link 'cmd.exe' and selecting 'Run as administrator'), then enter the command winrm quickconfig.

Next, go to the central PC where you'll be collecting these events, launch another elevated command prompt and enter the command wecutil qc.

You can then launch the Event Viewer on the collecting computer, click 'Subscriptions | Create subscription' and tell the system exactly which events you'd like to collect from which computers. These will then appear in the log you specify, and you'll be able to view and filter them just as you can events on your own computer. Well, that's the basic principle at least.

In practice, there are usually some complications. You might have to specifically allow the Remove Event Log Management process to connect through your firewall, for instance, and you'll need to add an account with administrator privileges to the Event Log Readers group on each of the remote PCs. Check the 'Event viewer help' file under 'Manage subscriptions' for more details.

Run a task

Alert

So far we've only used Event Viewer in a passive way, allowing it to record what various apps are doing, but the best part of the tool is that it can also be active and dynamic, responding to events with the specific action that you choose.

Suppose one of your favourite apps has its own event log, for instance. It might only add one event a week, but that event might be very important and you may want to know about it right away. Is this a problem? Not at all. In a few clicks you can be alerted whenever a new event appears.

To make this happen, launch Event Viewer, expand the 'Applications and services logs' section of the tree, right-click your log of choice and select 'Attach a task to this log'. Click 'Next' twice, choose the 'Display a message' option, and click 'Next' again. Enter a title for your message, then the message itself, and click 'Next'. Click 'Finish' and that's it – Windows will now display a pop-up alert with your selected message whenever an event is placed in this particular log.

You can also attach a task to a specific event. If you see something that might be really important, like a message that a hard drive is returning controller errors, then right-click it, select 'Attach a task to this event' and the wizard will appear. With a few clicks, you can ensure that you're informed directly about important events, rather than just hoping you'll catch them later.

Perhaps most usefully, the Event Viewer can also launch a task in response to a particular event. If your system is regularly displaying some low-level drive error, for example, you could automatically launch Windows chkdsk or some other drive error checker to confirm that all is well.

If you're running short of hard drive space and related events are appearing, you could have these launch something like CCleaner to quickly free up a little space.

The principle is the same: right-click an event and select 'Attach a task to this event' to launch the Create Basic Task Wizard. This time, when you get to the 'Action' point, select 'Start a program'. Click 'Next', choose your program or script and any optional command line arguments, then click 'Next', finish the wizard and your configuration is complete.

Event details

Windows will now respond automatically to events as they occur, which could mean your PC problems are fixed before you realise they've occurred.

No comments:

Post a Comment