Malware, Solaris, Cisco, Firewall, Security Links and Resources

Malware Resources

Enterprise Adware Detection: Detecting Spyware Infections on a Corporate Network

Spyware and adware infections on corporate networks is a problem which is only increasing. This paper briefly describes the role that Browser Helper Objects (BHOs) play in spyware and adware infections. It also announces a new free (Open-Source) remote malware scanner which scans a corporate network for spyware infections by scanning remote registries for the presence of unauthorized BHOs.

It is the author's hope that by running this remote BHO scanner, spyware and adware installed on a users' desktop may be identified early in the infection cycle, before the machine is completely infested with multiple types of malware and dozens of new registry entries and startup items.

By identfying malware that been installed on a corporate desktop, steps can also be taken to prevent other machines from becoming infected as well.

Securing Solaris 8
with an emphasis on Solaris Packages, Software Groups, Metaclusters

Securing a Solaris Box

Install Minimal OS:
- Select which OS Software Group to install
  This article, written by us, is an introduction to Solaris 8 OS Installation options.
- Add additional Packages
  This article, written by us, is a meta-analysis of the extra Solaris packages that experts suggest you install.
Patch the system:
- Sun recommends installing patches BEFORE additional minimilization and hardening.
- Sun(tm) Patch Check
Harden the System:
- Run hardening tools such as Titan or YASSP, JASS Toolkit or harden OS manually
  - Uninstall unnecessary packages
    This article, written by us, examines the packages installed with the SUNWCreq "core" installation of Solaris, and contains a meta-analysis of which packages the experts suggest you remove on a server destined to be a firewall.
  - Disable unneeded startup services, modify and add others:An analysis of Solaris 8 Startup Files: This paper lists each Solaris startup file along with the package which installed it.
  - Modify files in /etc (including /etc/default/*, most /etc/*.conf, /etc/system and others)
  - Delete unneeded accounts and cron permissions
  - Change network settings:
    - (Read http://www.sun.com/blueprints/1200/network-updt1.pdf;
      download http://www.sun.com/solutions/blueprints/tools/nddconfig_license.html
  - and much more....
    --Follow checklists such as--
    - http://www.enteract.com/~lspitz/armoring.html
    - http://www.boran.com/security/sp/Solaris_hardening.html
    - http://www.catastrophe.net/geek/docs/Hardening-Solaris2.6.txt (Note: Solaris 2.6)
    - http://fixsolaris.sunhelp.org/fixsolaris.txt(Note: Solaris 2.6)
    - http://www.sabernet.net/papers/Solaris.html (Note: Solaris 2.5)
    - http://www.sans.org/y2k/practical/Jeff_Campione_GCUX.htm (Note: Solaris 8)
    - http://www.usenix.org/sage/sysadmins/solaris/solaris/os.html#minimal
    - http://www.roble.com/docs/secure_solaris.html
    - http://www.giac.org/practical/Michael_Harris_GCUX.doc- "Step by Step Guide to Building a Secure Solaris 8 KDE Graphical Workstation"
- Install Sysadmin Tools:
  - Packet filtering software: ipfilter or Sunscreen Light (Also: Sunscreen How-To)
  - Host-based Intrusion Detection software:
  - Other Tools:
  - Visit BigAdmin and sunfreeware
    Consider installing the following: wget iptraf webmin
Run Security Audit/Vulnerability Assessment Scans/Penetration Tests (or whatever buzzword you wish to use):
- Open Source: nessus, nmap, whisker, SAINT, sara, Boran's audit2.pl, http://www.cisecurity.org/-Center for Internet Security, WhiteHat Arsenal
- Scan from the outside (also tests your firewall, inform your firewall/IDT admin first!):
- http://www.vulnerabilities.org/nessusfreehtml.html
  Commercial Products: Cisco Secure Scanner (netsonar), Retina, ISS CyberCop Scanner http://www.securityspace.com
Establish system audit/profile:
- Run commands such as:
  /usr/platform/sun4u/sbin/prtdiag -v
  /usr/bin/showrev [-p]
  /usr/sbin/prtconf
  /usr/sbin/psrinfo -v
- Run System Profiling Software:
- Don't forget about disk information under the control of Disksuite or Veritas....
Run Network profile (goal is to should show as few listening ports as possible):
- Run the following commands(More Information):
  netstat -an | grep LISTEN"
  lsof -i | egrep 'COMMAND|LISTEN|Idle'
  rpcinfo -p
- Run This Script from sunsolve to show all active tcp connections
Monitor the System
- monitor system performance
- Receive alerts and anomolies via email/pager: logcheck or swatch
- http://www.setoolkit.com/ - SE Toolkit (Adrian Cockcroft)
- Run network profile (above) and host-based IDS (below) to make sure nothing changes w/o your knowledge
Run Host-Based IDS:(Mentioned earlier, but it's important enough to repeat)
- http://www.psionic.com
- http://www.sun.com/software/security/tripwire/
- http://www.chkrootkit.org/
  http://www.sun.com/solutions/blueprints/0501/Fingerprint.pdf
Stay Current
- subscribe to Sun managersand security focus mailing lists
- Visit Solaris and Security Sites on a regular basis

Cisco Router Resources:

http://www.cisco.com/warp/public/707/21.html - Improving Security on Cisco Routers
http://www.cisco.com/warp/public/110/32.html - Cisco's IOS Firewall Feature Set ACLS
http://nsa2.www.conxion.com/cisco/download.htm - NSA Cisco Router Security Recommendations
http://www.sans.org/newlook/resources/idfaq/vlan.htm - Are there Vulnerabilites in VLAN Implementations?
http://www.treachery.net/articles_papers/hardening_ios.html - Building Bastion Routers Using Cisco IOS
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm - SAFE: A Security Blueprint for Enterprise Networks
http://www.cisco.com/warp/public/473/90.shtml#pvlan Securing Networks with Private VLANs and VLAN Access Control Lists
http://www.cisecurity.org/bench_cisco.html- Center for Internet Security Benchmark and Audit Tool for Cisco IOS Routers

Other Goodies:

Network Intrusion Detection:
- http://www.snort.org/-snort: the grandaddy of open-source NIDS
  - Snort's friends:
  - http://www.intersectalliance.com/projects/RazorBack/index.html - Razorback: Snort real time visual notification/log analysis
  - http://freshmeat.net/projects/fwlogwatch/?topic_id=245,43,151,152- fwlogwatch: Analyze snort ids logs (and others)
- http://hogwash.sourceforge.net/-Hogwatch: Based on snort, will drop malicious packets (I guess like snort's flexresp, which I still haven't gotten to work)
- http://www.enteract.com/~lspitz/intrusion.html - IDS script for CheckPoint Firewall1.
Distributed Intrusion Detection:
- mynetwatchman
- dshield
HoneyNets:
- http://www.all.net/dtk/- Deception Toolkit
- http://ippersonality.sourceforge.net- ippersonality: Emulate another OS at network level... fool remote OS detection tools such as nmap that rely on network fingerprinting. (Not really a honetpot, but I wasn't sure how to categorize it... )
Track down the intruders (or spammers):
- http://samspade.org/- Sam Spade
- http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html-Track down sniffers on your local network
- Also install Host-Based IDS (anove)
If this will be a fw1 server:
- http://www.enteract.com/~lspitz/armoring2.html- How to armor Solaris 2.8 for FW-1 NG
- http://www.phoneboy.com
- Deathstar
- fw1 analyzers
  - http://www.enteract.com/~lspitz/logger.html - fw1 log analyzer
  - http://www.enteract.com/~lspitz/fwtable.html - Examine CheckPoint's FW-1's stateful inspection table. Another of Lance's awesome resources.
IIS Headaches
- Labrea
Unix Security (Tried on Red Hat, should work on most others):
- http://www.bastille-linux.com- Bastille Linux
- http://www.linux-sec.net/Harden/harden.gwif.html-
- http://www.enteract.com/~lspitz/linux.html- Lance's "Armoring Linux"
- http://www.chkrootkit.org- Checks for rootkits; run it in a cron
- http://www.cisecurity.org/bench_linux.html- Center for Internet Security Benchmark and Scoring Tool for Linux
- linuxsecurity.com documentation: Security Quick Start- for Linux, For Red Hat

Note: Some items are mentioned more than once because they fall into more than one category.

If you know of a resource that should be added to this list, please email us at mgmg_interactive12345@12345hotmail.com
(remove all numbers from email address).

If you find this page useful, please link to us and let us know about it!

MGMG Articles:

http://www.mgmg-interactive.com/
Solaris, Cisco, Firewall, Security Resources
http://www.mgmg-interactive.com/packages1.html
An introduction to Solaris OS Installation options: Solaris Packages, Clusters, Software Groups
http://www.mgmg-interactive.com/packages2.html
A meta-analysis of the extra Solaris packages that several experts suggest you should install above and beyond your OS Core Install. These packages will increase your systems's logging and auditing, and aid in your other system administration tasks.
http://www.mgmg-interactive.com/packages3.html
An examination the packages installed with the Solaris SUNWCreq "Core" installation, and a meta-analysis of which packages the experts suggest you remove as part of the minimalization process in order to enhance system security.
An analysis of Solaris 8 Startup Files: This paper lists each Solaris Startup file along with the package which installed it.
http://www.mgmg-interactive.com/malware.html
This paper describes the role that BHOs play in spyware and adware infections. It also announces a new free (GPL) remote malware scanner, which scans remote registries for the presence of spyware and adware in the form of unauthorized Browser Helper Objects (BHOs).

(C) Copyright 2002-2005 David Glosser
mgmg_interactive12345@12345hotmail.com (remove all numbers from email address).
Please read disclaimer.

About MGMG Interactive