Dealing with Windows Rootkits

Rootkits are one of the most insidious attack tools in the wild Internet. Rootkits can replace core components of the operating system kernel. In many ways, it is like lifting the user-visible operating system up into a virtual world and placing an attacker-controlled hypervisor between the OS and the hardware. This gives the attacker the ability to hide processes, files, network use, and to remap calls for one good application to an evil version of the application controlled by the attacker.

In order to install a rootkit, the attacker must first get root, superuser, or administrator privileges on the victim machine. We can prevent this by good operating system hardening practices, such as using host IPS along with applying good security templates from the Center for Internet Security.

There are a number of tools for detecting rootkits. One should use at least three of the tools because each looks for different rootkit fingerprints. Be aware that the tools also produce frequent false positives.

Here are some good tools:

Sysinternals Rootkit Revealer:

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

F-Secure BlackLight:

http://www.f-secure.com/en_EMEA/products/technologies/blacklight/

ICE Sword:

http://www.antirootkit.com/software/IceSword.htm

Sophos Anti-Rootkit:

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

McAfee Rootkit Detective:

http://vil.nai.com/vil/stinger/rkstinger.aspx

Of course, when a rootkit is installed, you cannot trust anything the kernel is telling you. You should really use trusted tools such as the Helix incident response bootable linux CD.

February 1, 2010 Posted in: Computing No Comments

Resume

Raymond Sbrusch

Qualifications Summary

Solutions-oriented Information Security Professional with success advocating a broad range of security initiatives while participating in design, implementation, and support of multi-platform technologies.

¨ Commended for clear communication and documentation of complex technical concepts.

¨ Thrives on discussing network and security topics with diverse audiences including technology experts, non-technical staff, executive management, students and researchers.

¨ Hands-on experience implementing a wide range of technologies including switching, routing, and content availability hardware, along with Windows and UNIX-based software solutions.

¨ Believes that maintaining strong, professional relationships with internal customers, technical peers, and business partners provides the best service to my employer.

¨ Committed to delivering high performance and robust functionality alongside comprehensive security mechanisms.

Professional Experience

Texas Children’s Hospital – Houston, Texas January 2003 to Present

Data Security Architect

Leadership Achievements:

§ Lead vulnerability management effort to keep Internet-facing systems in compliance with the Payment Card Industry Data Security Standard since January, 2007.

§ Defined security requirements and assessment methodologies for diverse technologies including 802.11, Bluetooth, Windows, Active Directory, VPNs, DNS, and general applications.

§ Project Manager of Wireless LAN Infrastructure Project. Lead the requirements analysis, design, and implementation while staying under budget.

§ Organized and lead incident response teams for handling of security events including worms, system abuse, and investigations of anomalous behavior.

Technical Accomplishments:

§ Implemented and maintained load-balancing systems including Foundry ServerIron and Cisco CSS. Replaced Foundry and Cisco with F5 Big-IP LTM, gaining protection for web applications.

§ Implemented Sun reverse proxy to protect web servers. Integrated RSA SecurID into web applications to authenticate users and SSL client certificates to authenticate computer interfaces.

§ Implemented and supported multiple firewall systems including Check Point, Cisco, and Netscreen. Implemented Air Defense wireless IDS and IBM SiteProtector wired IDS.

§ Lead initiative for security event correlation; architected and implemented Cisco MARS for correlation of security logs from routers, access points, Solaris & Windows servers, Directory servers, proxy servers, and firewalls.

§ Recognized lack of performance analysis tools. Implemented RRD Tool front-end on Solaris 10 for monitoring and reporting of Data Security and Network system performance and utilization.

Communications Successes:

§ Author of numerous Information Security publications, including security tips for users, materials publicizing Security accomplishments, risk assessment methodologies, policies, and procedures.

§ Promoted and gained approval for CareWifi, our free and open wireless Internet service for hospital patients, families, vendors, and employees.

§ Educated IT and biomedical staff on wireless security and data hiding in “brown bag” seminars.

Awards:

§ Winner of Information Services “Run to the Problem” award for volunteering to support Houston-Harris County Immunization Registry Tomcat and Apache web servers.

““Performing each of the tasks in a competent and thorough manner is the expectation of the job. Ray has gone way above the expectation in the level of planning, detail, and execution of these tasks. He consistently surprises all he works with by the level of understanding of their issues and providing complex analysis and solutions in an understandable and elegant manner.” Mark Mathre – Former Data Security Manager

Diverse Networks, Inc. – Houston, Texas October 2000 to January 2003

Systems Engineer

§ Configured Alteon load balancers, Network Appliance NetCache, Cisco routers, and installed the OmniSky wireless web and mail transformation applications.

§ Spearheaded the development and deployment of proactive monitoring tools in the OmniSky and Palm.Net Network Operations Centers. Redesigned the network management systems to logically reflect system dependencies. Maximized the effectiveness of polling and integrated port interrogation, service monitoring, SNMP and Syslog message handling into NMS functionality.

§ Designed and coded automated reporting tools which saved operations analysts hours in NOC report preparation. Installed a MySQL database and added MySQL interfaces to my Perl scripts which allowed on-demand historical event reporting.

§ Participated in the overhaul of Diverse Networks’ corporate network. This includes implementation of Cisco routers, Cisco Pix firewalls, and a netfilter/iptables firewall. Configured the internal Bind DNS server on Solaris and built a web-based access control system for wireless LANs on a Linux embedded PC.

§ Developed training program for NOC analysts and trained EarthLink engineers during the EarthLink purchase and absorption of OmniSky.

Education and Training

May 2008 University of Houston, Clear Lake Houston, Texas

· Master of Science, Computer Science

· Thesis: “Authenticated Messaging in Wireless Sensor Networks used for Surveillance”

August 1994 University of Houston, University Park Houston, Texas

· Bachelor of Arts, English Literary Studies

· Dean’s List.

Computer Security Certifications

§ (ISC)² Certified Information Systems Security Professional, # 102196

§ SANS GIAC Computer Incident Handler – Gold Certification

Practical available at http://www.sans.org/reading_room/whitepapers/covert/

§ SANS GIAC Cutting Edge Hacking Techniques Certificate

§ SANS GIAC Auditing Wireless Networks – Silver Certification

July 9, 2008 Posted in: Resume No Comments

View my Thesis

My thesis is approved and posted online at the UHCL Distributed Computer Security Lab website. Here is the link. Contact me if you have any comments or questions: sbrusch@gmail.com.

June 7, 2008 Posted in: Computing No Comments