Anti-Rootkits – Finding and Eliminating Stealthy Intruders

October 5th, 2007

A rootkit, like a cloak of invisibility, is a program that conceals the presence of an application on a computer. Installing itself silently, it stays concealed by hiding processes, files, network traffic and other observable information about itself from the computer user. Rootkits typically hide utilities that make it easy for attackers to return to a compromised system. Rootkits aren’t easily detected and since no single vendor reliably detects all rootkits, it can be beneficial to work with more than one free rootkit tool.Sophos Anti-Rootkit is a sophisticated rootkit detector and remover for Windows NT, 2000, XP and 2003. Before scanning, it’s strongly recommended to close down all non-essential applications. A rootkit scan can take several minutes on a desktop computer or significantly longer on a server. The scan searches for hidden files, processes, registry keys and values. When the scan finishes, a pop-up screen appears, confirming the status and results of the scan. Click on the suspicious file to display more information about it. The information displayed includes whether the item is recommended for removal. If a suspicious file is recognized it can be safely removed, and if the scanner isn’t sure what it is, but considers it suspicious, it can still be removed.

Panda AntiRootkit, like Sophos, has a GUI and allows for command-line options. Also like Sophos, it identifies known rootkits and suspicious rootkit behaviors indicative of unknown rootkits and provides the option of removing them along with their associated registry entries, processes and files. Panda AntiRootkit looks for hidden files, registry entries, drivers, processes, execution hooks and does an excellent job of ferreting out possible rootkits. Panda AntiRootkit runs on Windows 2000, XP and 2003. It does a thorough job of removing dangerous rootkits even when it can’t fully identify them.

If one of the rootkit scanners mentioned above doesn’t do it for you, you can also run additional rootkit detection and removal tools such as:

McAfee Rootkit Detective is a program designed to detect and clean rootkits and works on XP, 2000 and 2003. However, McAfee strongly recommends its software only be used by knowledgeable individuals at the direction of, and with the support of a representative from McAfee Avert Labs or McAfee Technical. AVG Anti-Rootkit Free provides for rootkit detection and removal and works on Windows 2000 and XP.

Rootkit detection and removal is showing up as part of more anti-virus packages, but these scanners can help provide an additional line of defense against the dark arts.

Used with permission. The original article can be found here.

SpamAssassin – Going Ninja on Unwanted Spam

October 5th, 2007

Spam isn’t just about deposed Nigerian dictators who want to send you millions of dollars. Spam emails often contain malicious code, viruses, phishing attacks, and drive-by Trojans — not to mention some inappropriate content. One of the best weapons available to defend your systems against spam is the open source software SpamAssassin.SpamAssassin interacts with the mail server and analyses each email message using multiple methods of detection. Integrity analysis examines mail message headers and bodies to identify the common characteristics of spam. Heuristic rules detect spam messages by testing all content and producing scores for spam and non-spam criteria. The more spam-like elements the system detects, the higher the score, indicating the message is likely spam and should be handled as such.

SpamAssassin consists of two main components: A message filter and a rules engine. The message filter incorporates backend code and the user interface, and performs several tasks — including reading in messages, parsing into an internal format and rewriting messages. The rules engine handles the processing of hundreds of rules over the message content. The engine determines the final message score, and whether or not the message should be auto-learned via the Bayesian system and the other rules utilized. Despite the parsing and processing — using a weighting system to intelligently determine if a message should be considered spam — SpamAssassin is amazingly fast, handling thousands of messages with ease.

SpamAssassin also uses internally generated blacklists and whitelists from external sources, providing for known bad and good mail handling. The “AutoWhiteList” feature adds intelligence by dynamically adjusting the whitelist based on history. For instance, if a sender typically sends non-spam emails, and then happens to send a message that looks like spam, SpamAssassin uses it’s history report to move the message score back toward a non-spam average — adjusting the overall spam rating to compensate for the message being sent by a known sender.

Content filtering identifies key words or phrases, including purposefully trans-coded and obfuscated URLs. DNS block-lists, which are available on the Internet, allow SpamAssassin to block known spam senders. SpamAssassin also makes use of third-party plug-ins. For example, in a prior article I noted that Clam AntiVirus can provide SpamAssassin input if a message contains a virus, adding to SpamAssassin’s weighted spam score.

SpamAssassin is available for Linux, Windows and Mac OS X platforms. If you run a mail server, you shouldn’t do it without SpamAssassin.

Used with permission. The original article can be found here.

ClamAV – A Free AntiVirus That Really Works

October 5th, 2007

Here’s a recent article I wrote about ClamAV

One Blaster worm can ruin your whole day — but Clam AntiVirus is free, fast, and can save the day.

Clam AntiVirus is an antivirus toolkit for Unix, specializing in email scanning on mail gateways. Product features include a multi-threaded daemon, command-line scanner and automatic virus database updates. ClamAV detects more than 116,000 viruses, worms and Trojans, including Microsoft Office macro viruses and mobile malware.

When a new worm spreads, the development team usually releases a database update in less than an hour. Users can develop their own signatures, and submit them — or suspect files — to the developers. Updates work either in an interactive mode (on demand from the command line) or as a daemon (updating silently in the background). All virus updates are digitally signed to validate proof of authenticity.

Clam AntiVirus is capable of scanning files and directories, including recursive directories. Its multi-threaded execution makes use of the numerous CPU processors found in most contemporary machines. ClamAV also protects against malware hidden within archives by scanning inside compressed files. ClamAV supports ZIP, RAR, SFX, TAR, GZIP, MS cabinet (CAB) files, CHM (compiled HTML), BinHex and more. The product is also capable of examining several special file formats, including HTML, RTF, PDF, uuencode, TNEF (winmail.dat) and JPEG files looking for hidden exploits.

In addition to scanning files and folders, Clam AntiVirus scans data streams for viruses that may attempt to traverse the network. ClamAV is also extensible and supports added functionality via third-party add-on modules, such as the phishing module that blocks SSL mismatches in URLs to prevent users from being redirected to phony look-alike identity-theft sites. SpamAssassin users may appreciate the third-party plug-in for SpamAssassin, which calls ClamAV and adds a score based on the result of ClamAV’s scan.

Clam AntiVirus is an active open source project licensed under the the General Public License (GNU). Most popular Unix-based operating systems are supported, including Linux, Solaris, BSD and Mac OS X. There is also a ClamAV Windows port offered at w32.clamav.net. ClamAV excels at flagging malware, though falls short in its ability to auto-block active threats. Nonetheless Clam AntiVirus is a worthy arrow in your security quiver.

Used with permission. The original article can be found here.