Friday, January 28, 2022

People Are Sharing Their Best Work-Life Balance Tips, And, Honestly, I Need To Start Doing All Of Them

 

People Are Sharing Their Best Work-Life Balance Tips, And, Honestly, I Need To Start Doing All Of Them

·10 min read

Burnout is absolutely no joke, and these days it seems like a lot of us are feeling, if not completely burnt, then at least extra crispy.

Netflix / Via giphy.com

So I became curious about what's helped other people feel more balanced. I asked members of the BuzzFeed Community to share their best work-life balance tips, and wowee did they deliver:

1.Look for ways to improve your workplace's culture around balance and overworking.

Comedy Central / Via giphy.com

"Accept that work will never love you back. It will demand as much of your time and energy as you can give it, but it will never be satisfied. As my dad says, 'It’ll suck you dry and call you dusty.'

If you possibly can, find ways to fix it, rather than just bitch about how busy and stressed you are all the time. Join committees to improve your work culture, and join a union if that’s available to you. If nothing else, keep track of your tasks and how long you’re spending on them, and try to get concrete action points out of your boss about what to prioritize or do less well on. Share your successes with your colleagues. And find sources of satisfaction outside work: hobbies, volunteer work, religion — find something meaningful."

janes4c411b247

2.Taking time off can be a great way to recharge, even if you don't think you need it.

"TAKE. TIME. OFF. DAMMIT. Even just one or two days per month (PTO permitting, of course), or take a full week off every three to four months or so. For real, I didn't realize how burnt out I was until I took time off, and just WOW. Now I have made it a mission and goal to take at least one or two days off per month, long weekend kind of thing. Stay at home, pack a bag, do whatever you want, but taking a day off from your desk can really help."

witchyribbon84

3.And if you're salaried, don't feel pressured to work extra hours.

"If you’re salaried, it’s hard to break the habits of an hourly worker. When you’re salaried, they pay you for your EXPERTISE, not your time. Don’t work more than your 40 hours, less if you can, because that isn’t why you’re paid anymore."

turnipcakeafficionado

4.Make time for yourself by blocking it out on your calendar.

<div><p>"Put blocks on your calendar!! You deserve time to debrief, focus, eat, take a little nap, whatever you want. But don’t let your job take over your life."</p><p>—<a href="https://www.buzzfeed.com/ladyt9" rel="nofollow noopener" target="_blank" data-ylk="slk:ladyt9" class="link rapid-noclick-resp">ladyt9</a></p></div><span> Megan Liscomb/BuzzFeed</span>

5.Instead of logging back on to do "one more thing," leave a note for Future You. They can handle it later.

"Working from home makes the lines blur FAST — that's why my hard-and-fast rule is that when I log off for the day, I'm done — no logging back in at night, checking email from my phone or doing one more thing. I'll write myself a note or even leave myself a voicemail if I'm worried about something that comes to mind.

I also use 'Future Me' a lot to talk about myself the next day and after a particularly stressful day, sometimes I have to say it's her problem, not mine...of course, it also means Future Me hates Past Me sometimes..."

manningl428

6.Give yourself some buffer time to chill out after work before you start doing more stuff.

"It’s a small thing, but when I get home from work every day I take 45 minutes to sit, have a cuppa, and zone out to the TV before I start housework, dinner, etc. This allows me time to switch off from my work day and become fully engaged in being at home. It’s made my downtime more high quality."

pritchette

7.If you tend to talk about work a lot, come up with a "safe word" or phrase that your loved ones can use to help you snap out of it.

MGM / Via giphy.com

"My fiancĂ© and I both started new management jobs that require us to be on location in an office and are also both on call. We found ourselves talking about work all the time and feeling like we had no balance. My fiancĂ© came up with a phrase we now use to remind each other to take a break from work. If either of us get into a rant, the other will say, 'what are we grateful for today.' It felt silly at first, but it really helped put things in perspective. It snaps us out of our work thought-storm and gives us an opportunity to speak each other's love language (I need quality time and he needs words of affirmation). We really do have a lot of things to be grateful for and sometimes need a little reminder when we’re caught up in the moment."

chelynwei

8.Make sure your coworkers know that you shan't be checking work messages after-hours.

"Be clear with coworkers about boundaries and scheduling. If you work remote, shut your computer off at the same time every day. For the most part, unless your job is in a medical or safety field, no one will die if you send an email the next morning or return a phone call during your work hours. There are always going to be 'martyr' workers who think they are better for sacrificing their health or time for work. They are not better, and you can still get your job done during regular hours."

dellarock

9.And learn to be ok with leaving some things undone.

"Leave when you are scheduled to leave. The work will still be there tomorrow."

dr-doctor

10.Make your personal social media accounts a work-free zone that you can scroll through after-hours without seeing Linda from accounting.

Young woman relaxing and looking at her phone

11.For the love of all that is holy, take your lunch break.

"TAKE YOUR FULL LUNCH BREAK!!! I hate when employees are expected to regularly eat lunch at their desk as they work. First, no one actually does that; they eat then work or eat as they’re looking at things that have nothing to do with work. Second, with any job but especially when you have a job that is less than ideal, it’s so cathartic to leave the building, go somewhere (for me ideally home for my lunch break), and eat your lunch while not thinking about work."

salamandersorcurer

12.When you're on the job hunt, look for companies that already prioritize work-life balance.

"I make it a priority to seek out job opportunities with a culture that is willing, able, and eager to accommodate a work/life balance. I strictly enforce work boundaries on my own as well — I take my full lunch hour every day, I do not have my work email on my phone, and my Slack notifications are turned off in the evening. My vacation is my vacation, and I never promise to 'check in' while I'm away, or offer to be contacted in case someone has a question. It is possible to find workplaces that have these same priorities, and THOSE are the places you want to work!"

sweaver2010

13.And if your workplace doesn't respect your boundaries, it may be time to look for one that does.

NBC / Via giphy.com

"To be honest? In my experience, the key to a good work-life balance is the job itself. Too many companies expect responsiveness before or after hours, expect salaried positions to work whenever they want them to, don’t pay you enough to live comfortably, etc.

If you raise these concerns and there is no compromise or change, the best way to achieve better work/life balance is to take your talents to a company that enables it."

annahill95

14.Sticking to a daily routine and giving yourself a little extra time in the morning can make a big difference.

"I struggled to WFH prepandemic (big procrastinator over here), but this year I’m enforcing a daily routine to ensure I work during my working hours and shut off my laptop at consistent times (when possible). Waking up 30 minutes earlier, I now spend my mornings stretching or exercising, cleaning up from the night before, getting dressed, all before 9 a.m. so I feel fully prepared for the day.

I’m also trying to eat at the same times and take my daily stupid walk for my stupid mental health (I joke, but this routine really has helped my mental/physical health and I feel a better separation from my 'work self' and 'relaxing self'). Also, keep your personal phone in another room when working if you can."

isabossy

15.If you work from home, knock out a few chores on your breaks so you have more time to do whatever the heck you wanna do after work.

"Honestly working from home HAS been a game changer. Now instead of taking a whole hour for lunch, I take small, 15 minutes breaks at home and set the washing machine and then hang my clothes, sweep, do the dishes and such, so that I don't spend hours doing everything together. I also take showers during those 15 minute breaks, so as soon as I finish my shift I'm free to do whatever.

Also, I do my haircuts and dyeing and everything with a hair dresser who comes to my home. I can work while I get everything done and it's great. if you have the chance, do it! I know it's like once every month or more but it does help. You can then spend free time with friends, go out, go to the gym, or just stay in watching TV if you wanna chill."

asdzx

16.And setting aside some work-only space can help you create a physical boundary between work and life.

Man working at his desk at home

17.Finally, shift your focus to taking care of (and listening to) yourself so you can better understand what you personally need to feel balanced.

"Living my life with a bigger commitment to physical and mental wellness has allowed me to gain an 'everything is everything' attitude. Allowing myself the right amount of sleep, cardio exercise, correct foods, and healthy relationships has really upped my game. I used to get off on a Friday and cut loose for 48 hours but could never really catch up with myself. Now I go out when I want and stay in when I want, all while self-regulating, and I feel totally in balance. BONUS: It led to huge promotions and way more compensation, which is nice!"

umrawk85

Note: Submissions have been edited for length and clarity.

What's something that helps you feel more balanced? Share your best tips for juggling this whole work-life thing in the comments!

And for more stories about work and money, check out the rest of our personal finance posts.

Thursday, January 27, 2022

HOW TO UNSKID YOURSELF 101

 HOW TO UNSKID YOURSELF 101
[1.] Hacking: The Art of Exploitation, 2nd Edition
This book covers coding (C, x86 assembly), exploitation (stack overflow, heap overflow, Format String), Networking
(and network-based attacks), writing shellcode, countermeasures and some crypto. It's the very first book to read since it
doesn't expect you to know anything before you start, though some experience with a programming language will
certainly make things a lot easier.
[2.] Web application Hacker's Handbook, 2nd Edition
Covers pretty much all areas of web application security, could be seen as a reference guide, or a book to be read from
start to finish. I'd recommend reading at least the first chapters before jumping back and forth in the book.
[3.] Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration
http://opensecuritytraining.info/IntroX86.html
https://www.youtube.com/watch?v=H4Z0S9ZbC0g
A video course teaching you Intel x86, something you'll really want to know if you plan on pwning gibsons. It's a long
course, but absolutely amazing which gives you a real good foundation for learning Software Exploitation and Reverse
Engineering. Some of the stuff covered here are also in Hacking: The Art of Exploitation, but practice makes perfect.
[4.] Exploits 1: Introduction to Software Exploits
http://opensecuritytraining.info/Exploits1.html
https://www.youtube.com/watch?v=dGyWvGmBYVw&list=PL96AB65DFCE02EE3E
Another great video course from the guys over at OpenSecurityTraining. 

This time we'll delve deep into the art of
exploitation. The Course covers Stack Overflow, Heap Overflow, writing shellcode and an intro to exploit mitigations
(DEP/NX, ASLR).
[5.] Offensive Computer Security
http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html
Another course, this time from FSU.
Covers:
Secure Coding in C / Code Auditing
Reverse Engineering
Fuzzing
Exploit Development
 Stack/Heap/Format String
 ret2libc
 ASLR, NX/DEP, Stack Cookies, EMET
 Return Oriented Programming (ROP)
Networking
Web application Hacking/Security
 WAF
 IDS
 SSL
Metasploit
Post Exploitation
Forenscics and Incident Response
Physical Security and Social Engineering
[6.] TrailOfBits – CTF Field Guide
https://trailofbits.github.io/ctf/index.html
A text and video course covering:
 Vulnerability Discovery
- Auditing Source
- Auditing Binaries
- Auditing Webapps
 Exploit Creation
- Binary Exploits
- Webapp Exploits
 Forensics
[7.] The Shellcoder's Handbook: Discovering and Exploiting Security Holes
Amazing book. Covers stack overflows, heap overflows, format strings, writing shellcode (duh), linux x86, Windows,
Solaris, OS X, Cisco IOS, exploit mitigations, fuzzing, source code auditing, binary auditing (reverse engineering),
kernel exploitation on Unix/Windows and a lot more...
Note: Not a beginners book.
[8.] A Guide to Kernel Exploitation: Attacking the Core
You wanna write kernel exploits? Of course you do. Look no further.
Note: Also not a beginners book.
Books
The following books didn't really fit in the introduction list of learning material, but are just as
important if you wish to continue your security journey.
[Exploit Development]
 Gray Hat Hacking: The Ethical Hacker's Handbook, Fourth Edition
 The Mac Hacker's Handbook
[Reverse Enginnering]
 Reverse Engineering for Beginners (http://beginners.re/)
 Reversing: Secrets of Reverse Engineering
 Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation
 IDA Pro Book, 2nd Edition
 Hacking the Xbox: An Introduction to reverse Engineering (http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf)
[Programming]
 The C Programming Language (by K&R)
 Learn C The Hard Way (http://c.learncodethehardway.org/book/)
 Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers
 Gray Hat Python: Python Programming for Hackers and Reverse Engineers
 PC Assembly Language (http://www.drpaulcarter.com/pcasm/) (x86 NASM)
 Programming from the Ground Up (http://savannah.nongnu.org/projects/pgubook/) (x86 AT&T)
 Assembly Language Step by Step: Programming with Linux 3rd Edition
 64 Bit Intel Assembly Language Programming for Linux
[Auditing and Vulnerability discovery]
 A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security
 The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
 Fuzzing: Brute Force Vulnerability Discovery
[Penetration Testing]
 Metasploit Unleashed (http://www.offensive-security.com/metasploit-unleashed/Main_Page)
 Metasploit: The Penetration Tester's Guide
 The Hacker Playbook: Practical Guide To Penetration Testing
 RTFM: Red Team Field Manual
[Web Security]
 The Tangled Web: A Guide to Securing Modern Web Applications
 SQL Injection Attacks and Defense, Second Edition
 The Browser Hacker's Handbook
 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'
[Malware, Forensics and Anti-Forensics]
 The Rootkit Arsenal: Escape and Evasion: Escape and Evasion in the Dark Corners of the System
 Designing BSD Rootkits: An Introduction to Kernel Hacking
 Rootkits: Subverting the Windows Kernel
 Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
[Mobile Security]
 iOS Hacker's Handbook
 Android Hacker's Handbook
 The Mobile Application Hacker's Handbook
Video Courses
Exploits 1: Introduction To Software Exploits
http://opensecuritytraining.info/Exploits1.html
https://www.youtube.com/playlist?list=PL96AB65DFCE02EE3E
Exploits 2: Exploitation in the Windows Environment
http://opensecuritytraining.info/Exploits2.html
https://www.youtube.com/playlist?list=PL9F9E52502327B1CA
Introduction To Reverse Engineering Software
http://opensecuritytraining.info/IntroductionToReverseEngineering.html
https://www.youtube.com/playlist?list=PLUFkSN0XLZ-nXcDG89jS9iqKBnNHmz7Qw
Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration
http://opensecuritytraining.info/IntermediateX86.html
https://www.youtube.com/playlist?list=PL8F8D45D6C1FFD177
MIT 6.858: Computer Systems Security
http://css.csail.mit.edu/6.858/2014/
https://www.youtube.com/watch?v=M2gc6b1hmk8&index=1&list=PLA6Ht2dJt3SLQmKhygx8HfwV_hxuPPCea
Tutorial Series
Exploit Development:
https://www.corelan.be/index.php/articles/
http://expdev-kiuhnm.rhcloud.com/
http://www.securitysift.com/windows-exploit-development-part-1-basics/
http://www.fuzzysecurity.com/tutorials.html
Tools
[ Fuzzing ]
american fuzzy lop
 “American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation
and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in
the targeted binary. This substantially improves the functional coverage for the fuzzed code.”
http://lcamtuf.coredump.cx/afl/
PEACH Community Fuzzer
 “Peach is a SmartFuzzer that is capable of performing both generation and mutation based fuzzing.”
http://community.peachfuzzer.com/
SPIKE
 “Written in C, exposes a custom API for fuzzer development. Probably the most widely used and popular
framework.”
http://www.fuzzing.org/ or http://www.immunitysec.com/resources-freesoftware.shtml
Zulu – The Interactive Fuzzer
 “Zulu is an interactive GUI-based fuzzer. It is as much as possible, input and output-agnostic so once you are
happy with using the fuzzing engine that's driven by the GUI you are only limited by the input and output
modules that have been developed for it.“
https://github.com/nccgroup/Zulu
sulley
 “A pure-python fully automated and unattended fuzzing framework.”
https://github.com/OpenRCE/sulley
zzuf - multi-purpose fuzzer
 “zzuf is a transparent application input fuzzer.”
http://caca.zoy.org/wiki/zzuf
More information on fuzzers:
http://www.fuzzing.org/wp-content/sample_chapter.pdf
http://www.blackhat.com/presentations/bh-usa-09/EDDINGTON/BHUSA09-Eddington-DemystFuzzers-PAPER.pdf
[ Exploit Development ]
mona.py
 A debugger plugin for Windows exploit development.
https://github.com/corelan/mona
https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
PEDA
 Python Exploit Development Assistance for GDB
https://github.com/longld/peda
pwntools
 pwntools is a CTF framework and exploit development library. Written in Python, it is designed for rapid
prototyping and development, and intended to make exploit writing as simple as possible.
https://pwntools.readthedocs.org/en/2.2/
https://github.com/Gallopsled/pwntools
Metasploit Framework
 This framework has some pretty great tools for exploit development. I encourage you to go read the wiki
which will help you setup a development environment and getting started:
https://github.com/rapid7/metasploit-framework/wiki
[ Debuggers ]
(will finish this later)
GDB
radare2
WinDBG
OllyDBG
Immunity Debugger
TODO:
 add more content (whitepapers etc)
 write an introduction
 organize shit better
xoxo,
pantsu && lsd

Tuesday, January 25, 2022

THE CHALLENGE OF DETECTING AND REMOVING INSTALLED THREATS

 

THE CHALLENGE OF DETECTING
AND REMOVING INSTALLED
THREATS

Jason Bruce
SophosLabs, Sophos Plc, The Pentagon,
Abingdon Science Park, Abingdon, OX14 3YP, UK

Tel +44 1235 544142
Email jason.bruce@sophos.com

ABSTRACT

The days when the competitiveness of an AV product was determined by the ability to detect a bucketful of samples will soon be behind us. New tests, driven by the requirement for AV products to deal with spyware, will measure the ability of an AV product to manage any given threat from detection to full removal.

Detecting and removing installed and active threats presents many challenges, particularly where multiple files, processes and registry components are involved. The ability for these components to be updated from the Internet at any time and with varying frequency only complicates the issue further.

This paper will discuss the challenges that are faced by AV vendors in modifying their products to move away from blindly detecting and deleting a given set of miscellaneous samples to detecting and removing samples in the context of the installed threat.

INTRODUCTION

When viruses first began infecting files the message from anti-virus products at the time was to label those files as infected. In some cases the files still worked as expected but they were performing additional functionality which they were not designed for and which may ultimately have had some detrimental affect on the whole system.

The solution for fixing an infected file was to replace it with a copy of the original, thus making absolutely certain that the files on the system were clean. This solution was acceptable in the days of small, uncluttered operating systems with a limited number of installed applications. As we moved through the 1990s operating systems became increasingly complex and on top of that technology improvements meant that users could install greater numbers of increasingly complex applications. The existing solution to a virus attack – of replacing infected files – became less and less practical, particularly for home users and small businesses, and as a result there was an increasing demand for anti-virus solutions to provide disinfection for virus-infected files.

Today a similarly significant change in demand is occurring. Threats are increasing in complexity to the point where it is no longer possible to provide simple instructions to assist with removal. The explosion of spyware has seen a rise in the number of threat types that install many components, such as files and registry entries. So whereas once, removing a trojan would have been a matter of killing a process, removing a file and deleting a registry entry, we now have threats that require the removal of many of each of these components. In addition


there has been a significant rise in the number of threats making use of stealthing and anti-removal technologies to further complicate removal procedures.

The complexity of removing threats with many components has led to customers demanding that security solutions manage the threat for them. Microsoft might have you believe that there are cases where this is just not possible [1]: ‘When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit.’ But as with the solution originally recommended for files infected with viruses, this is not currently a practical solution, particularly for home users and small businesses.

THE MULTI-COMPONENT THREAT

There are now many threats, particularly those associated with potentially unwanted applications such as adware, that add and modify multiple process, file and registry entries on the system. These multi-component threats present a number of challenges to security products attempting to reverse the changes that have been made to the system. Removing a multi-component threat with the intention of restoring a system to a stable and secure state may only involve reversing some of the changes resulting from the installation of that threat. However, removing a threat to the satisfaction of a customer means detecting and removing every installed component and restoring modified settings back to their original values.

Component classification

Installed threats can be thought of as containing two key categories of components: primary and secondary components.

 

Primary components

Primary components are the most significant of any threat. These are the ones that actually provide the threat with its functionality or cause that functionality to be loaded when the operating system starts up or a user logs in. Removing a threat’s primary components should, in most cases, be enough to neutralize the threat, preventing it from causing further damage, loss of information or error reports from the system. There are two categories of primary component.

Individual primary components: these are typically the executable files that provide the functional features of the threat, processes associated with those files and associated load points in the registry. Detection of these components will indicate that a system is affected by a particular threat, but simply removing them is not necessarily a sufficient solution to the infection.

Compound primary components: these are the components of a threat that are implemented by the modification and addition of multiple files and registry entries. Examples are services registered with the service control manager, layered service providers (LSP) hooked into the Windows TCP/IP handler, Internet Explorer browser helper objects (BHO) and other registered COM objects. Effective removal of compound components requires the modification of all the affected entries on the system. In some cases failing to fully manage all the changes made by a compound component will not result in any detrimental effects; in other cases significant damage can


be caused. Removing a file associated with an LSP for example, will result in the loss of network connectivity if the Winsock entries in the registry are not modified to remove that particular LSP.

 

Secondary components

Secondary components are typically comprised of registry entries and ancillary files such as data files, logs, configuration files, etc. If left on the system many of these components would remain benign as they are of no use without the primary components of the threat. However, for completeness they should ideally be removed or restored to a pre-infected state.

REMOVING THE INSTALLED THREAT

There are two significant steps in the removal of an installed threat. First of all the installed threat and all its components, both primary and secondary, need to be identified. Once that’s completed the analysis of the threat can be used to define the actions that are required to remove the threat from the system so as to leave the system in a usable and secure state.

Detection phase

The objective of the detection phase is to build up a complete list of all the installed components of any threat found on the computer being scanned. With the consideration of multi-component threats to take into account we’ll see that the use of two scanning techniques is required in order to effectively and efficiently build these lists of components.

 

Scanning techniques

Content scanning and context scanning are the two main static detection techniques that are generally used for detecting the presence of an installed threat and collating all the components of that threat.

 

Content scanning

Content scanning techniques, traditionally used by AV scanners, can be used for detecting primary file components such as the executable components of a threat. However, this technique is not necessarily the most suitable for detecting secondary file components, particularly data files, log files, etc. that are subject to frequent, unpredictable changes. In addition it is not always necessary to detect every component directly via content scanning, since once the scan has determined that a particular threat is installed there are more efficient methods, such as the

context scanning technique discussed below, for detecting the remainder of the threat.

 

Context scanning

Contextual scanning techniques, more commonly relied upon by dedicated anti-spyware solutions, provide a method for detecting threats based on the known presence of a particular set of entries on the system being scanned. This method uses rules such as combinations of names


and locations of file and registry settings to determine whether a threat is installed on the system.

 

For example, consider the following set of entries on the system:

File: <system>\taskmon.exe File: <system>\shimgapi.dll

Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon = taskmon.exe

Registry: HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87­00AA005127ED}\InProcServer32\Default= “shimgapi.dll”

Without scanning the contents of either of the files we can positively identify the system as being infected with W32/MyDoom-A.

 

Context scanning is not the most effective or practical technique when used on its own. For example, this scanning technique is not very effective at the gateway where no installed context rules can be applied.

There is also the complication of making a positive identification of a particular threat, where common file names or registry entries are being added or modified, leading to non-specific reports such as, ‘this file and these registry entries are suspicious’. There is also a greater risk of false positive reports, particularly when relying on individual component attributes such as the names of files or registry entries.

 

For example, consider the following file and registry entry:

File: <windows>\system.exe

Registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system = system.exe

At the very best this combination of components can be labelled as suspicious, but without scanning the contents of the file system.exe it is not possible to tie it down to any one particular threat, or even a threat at all.

Where context scanning has its most effective use is when used in combination with content scanning on the desktop to assist in collating all the components of an installed threat. The positive identification of one or more of a threat’s primary components, e.g. files or processes, based on their contents, can be used to trigger context scanning rules. The context scan will use these rules to identify the components of the threat installed on the computer without relying on a content scanner to positively identify every individual component.


Consider the W32/MyDoom-A example above. If a scheduled scan of a system detects W32/MyDoom-A in taskmon.exe then this information can be used to trigger a context rule that seeks out the other components of W32/MyDoom-A (see Figure 1).

 

Scanning requirements

The majority of standard non-malicious applications can be considered to have a predictable, well behaved installation. The information that the application is installed on a computer is sufficient to determine the names and locations of all components, both primary and secondary.

There are many cases where this is true for malicious applications as well. Many trojans and worms are predictable between infections, and this in turn can make them easy and quick to remove, as detecting a single component is enough information to clean the whole of the malicious application from the system without scanning the whole system to detect each component explicitly. This is true for the W32/MyDoom-A example in Figure 1.

This predictability is not true of all malicious or potentially unwanted threats though. There are examples where more extensive scans of the system are required to ensure that all components of a threat have been identified correctly so that a successful cleanup of the system can be carried out (Figure 2). This is particularly true of threats such as the adware application Look2Me that contains randomly named components.

A further complication is added when threats use sophisticated stealthing techniques to hide components of their installation. Depending on the techniques used it may be possible to infer the presence of a stealthed threat using standard user mode content scanning and to use contextual techniques to build a full list of installed components. Otherwise more sophisticated rootkit detection techniques will be required.



Defining the removal procedures for a specific threat is becoming increasingly dependent on a detailed analysis of that threat to determine how the threat behaves when removal actions are applied.

 

Anti-removal techniques

A complete technical paper could be written on anti-removal techniques, which is not my intention here. Instead I will refer you to Sergei Shevchenko’s article [4] and Eric Chien’s paper [5] for examples of the complications that can be involved. I will summarize here the considerations that security products must take into account when attempting to subvert the attempts by threats to prevent them from being removed.

Threats are increasingly employing techniques to complicate the removal of their software. Some of these techniques have been seen for many years in malware. One example is monitor or watchdog processes where one or more threads are set up to continually monitor the active status of the threat and its various components, as effectively implemented by W32/Chir-B back in 2002.

Another example is injecting code into system processes that cannot be restarted without shutting down the system, as used by W32/Lovgate in the following year. More complex techniques, however, have been coming from potentially unwanted applications such as adware. There is big money to be made out of these products and the vendors behind them often have teams of engineers to implement techniques that will prevent users from removing the applications. Techniques used include installing drivers to implement rootkit-style protection mechanisms, regularly renaming components of threats to subvert context detection and modifying privileges to the extent that even the administrator has no power to do anything about the threat.

In the more simple cases these techniques can be subverted by carefully considering the order in which components of the threat are removed from the system. In more complex cases it may not be possible to remove a threat in place and instead it


is necessary to implement removal strategies that involve rebooting the operating system and completing removal actions during or after the boot up sequence.

 

Shared components

An important consideration to make when removing a threat from a system is identifying the components of a threat that are shared, or non-exclusive. These are components that may have been installed by the threat but are actually third-party applications or components used to provide additional functionality to the threat but not designed exclusively for that threat.

An example of a non-exclusive component is a language library. A threat may install a library to ensure that it runs on the targeted system but it’s not possible to say, without a reliable snapshot history of the system whether that library file was on the system prior to installation of the threat. It is therefore unsafe to remove such components, however it should also be pointed out that they would not pose any increased security risk.

 

Pre-infection settings

Removal of a threat also involves the reversal of changes made to legitimate files or registry entries that exist on the affected system. This presents a challenge since it is usually the case that the security product carrying out the removal operation will be unaware of the state of the affected system immediately prior to infection. In cases where a threat-specific entry has been set, e.g. an Internet Explorer start-up entry, then a safe default can be set. However, if the changes are not threat-specific, e.g. Internet Explorer security zone settings, then it is not even possible to determine whether the changes made by the threat actually made any difference to the original settings.

There should arguably be some consensus in the industry to define default values for commonly modified entries on a system where it is unlikely that the pre-infected state is known.


complicate, the removal of unwanted applications. There are strategies for getting around these anti-removal techniques but it means that more often we are seeing threats that require removal identities that are as specific as the identities that detect the threat.

The varying effectiveness of the different security solutions offering removal of installed threats has led to the

requirement for specific testing to provide objective comparisons of how well these security products perform at this task. However, unlike traditional anti-virus testing where there are only two results, detected and not detected, there is a certain amount of middle ground with tests that measure the effectiveness of removal. A system can be rendered stable and secure without necessarily removing or restoring every single component of a threat.

REFERENCES

[1]            Naraine, R. Microsoft says recovery from malware becoming impossible. eWeek.com. April 2006. http://www.eweek.com/article2/ 0,1895,1945808,00.asp.

[2]            Paget, F. Adware & Spyware Free Detection/ Cleaning Tips and Techniques. AVAR Conference 2005.

[3]            Polischuk, A., Kovtun, A. Operating System Recovery by Anti Virus software. AVAR Conference 2005.

[4]            Shevchenko, S. Standing the privilege attack. Virus Bulletin, June 2005.

[5]            Chien, E. Techniques of adware and spyware. In Proceedings of the Virus Bulletin International Conference. 2005.


CONCLUSION

In this paper I have described how security products such as anti-virus and anti-spyware software generally use two main static scanning techniques to assist with the detection of the components of an installed threat: the content scanning

traditionally employed by anti-virus solutions and context scanning solutions often relied upon by dedicated

anti-spyware solutions.

I have shown that neither scanning technique is the sole solution to the problem of identifying the components of a threat that should be flagged for removal. Instead, a combination of the two techniques needs to be implemented to provide the most effective and efficient solution. Having the two scanning techniques also provides an additional level of mitigation against the frequent updating we see occurring with some threats today.

Identifying all the components of an installed threat is not the sole requirement for removing that threat. Authors of malware and potentially unwanted applications are aware of the attempts by anti-virus and anti-spyware products to remove their applications. So just as malware authors have

historically strived to create viruses that subvert detection the aim now is to implement techniques that prevent, or at least