1. Using Windows to Defend Windows Scott Wilson Levi Arnold Oklahoma State University
2. Malware – first steps in fighting Recognize that something's wrong Learn to run a scan/removal tool, like SpyBot, SpywareDoctor, MBAM or another. Very excited, willing to suggest a scan as a solution to every problem they see.
3. Malware – next steps in fighting Learn about layered defenses and the difference between antivirus and anti-spyware scanners. Learn how to better use scanners and removal tools; know when MBAM will work better than SpyBot, know what false positives are likely to be thrown by scanners.
4. Begin to get past scanning Learn some more in-depth software tools, like the Sysinternals Utilities. Begin to get an idea how malware works.
5. Going past scanning Dealing with a 4-H agent’s computer Ran SpyBot and some other scanners, but the machine kept re-infecting itself after rebooting.
6. Recovery Console In-law’s computer Vundo and TDSS, hybridized Vundofix didn’t work, neither did Avenger, neither did Combofix, neither did …
7. Recovery Console RC command “disable” allows disabling services/device drivers disable {[service_name]|[device_driver_ name]} RC also allows viewing of hidden files Other boot disks can give similar options, although they can be difficult to configure.
8. Hosts files County employee who loved StarWare, even though it was making her machine crash constantly.
9. Hosts files Ad-blocking host files from Mike Skallas (www.everythingisnt.com) and MVPS (www.mvps.org)also block many malware sites.
10. Hosts files Host files can also be used positively, to provide a constant reference for a machine.
11. Executable redirecting Open regedit Browse to HKLMoftwareicrosoftindows NTurrentVersionmage File Execution Options Create a new key with the name of the process you want to block; e.g., calc.exe
12. Executable redirecting Create a new string value under that key. Name it Debugger. Modify the value data to be: Rundll32.Exe url.Dll,FileProtocolHandler http://www.google.com/search?q=
16. Executable redirecting It’s possible to call any type of executable file from the redirect, so using a batch file to script multiple actions upon malware executing is possible.
17. Executable redirecting Up side: possible to immunize the system against annoying things like AV2008. Possible to script events to happen to alert your IT staff when a computer gets infected.
18. Executable redirecting Down side: have to know the name of the executable or process. It’s not practical to immunize against those malware objects that generate a random name – although you can stop them executing while working on a system.
19. Going forward Learn about malware. Learn how it works, how it spreads, what the different types do. Learn some programming; it will help you to have some idea of how malware works.
21. Learning Resources - Fora Geek University : Forum-based training for malware fighters. http://www.geekstogo.com/forum/index.php?autocom=custom&page=GeekU Bleeping Computer: Has both removal guides and excellent fora. http://www.bleepingcomputer.com/ PC Hell: similar to Bleeping Computer. http://www.pchell.com/
22. Learning Resources - Other Email lists. Vince Verbeke has a good one – send him an email to subscribe. Books: Malware: Fighting Malicious Code by Ed Skoudis; Hacking Exposed: Malware and Rootkits by Davis, Bodmerand Lord (September 16th)
