Recently I was scoping for a safe enough ATM to pull out some cash in the Czech Republic. I came across this one…
If I didn’t know better I would think that there was some “bonus” hardware plugged into this ATM that was having an issue running.
If you are interested with the comings and goings of ATM frawd Brian Krebs is a good place to start.
There are the traditional AV (I actually recommend Microsoft AV) scans which have a decent(ish) chance of finding malware on your computer if it has been around awhile. However, if you believe you may of gotten infected recently and you don’t have any faith in your AV there are a few things that I recommend you do.
Step 1. Install packet capture software on a second laptop. (Wireshark FTW)
Step 2. Buy a cheap tap. SharkTap off of Amazon works fine for me. Alternatively you can run Wireshark locally, but you are running the dice that the malware doesn’t look for monitoring.
Step 3. Put cheap tap in between your potentially infected computer and the internet gateway/router…. So use your RJ45 port to connect to your home router through the tap, or use a span port on your wireless router and skip the tap altogether.
Step 4. Begin your packet capture on the laptop connected to the monitor port or tap.
Step 5. Reboot your potentially infected computer.
Step 6. Look for DNS requests in wireshark. You shouldn’t have any domains being resolved for anything but Microsoft and anything set to update. If you see a domain name you don’t recognize check it out on robtex.com, and urlvoid.com. If you see IP traffic and no DNS then check ipvoid.com Step 7. Agitate. Go visit email/facebook/bank websites and enter bad credentials. See if any of the dns/ip traffic in wireshark goes elsewhere. Look out for all the bs affiliate traffic that banners/advertising create. Vet them in robtex.com. Step8. Image your computer and change all passwords that have been entered on that computer. If you made it this far you are still going to be paranoid no matter what :/
Other tools that can help..
Before you install “questionable” apps you should use something like regshot which shows you what is actually happening during an install.
If you are installing questionable apps you should be in a VM environment so you can roll it back!!!
Process Hacker from Sourceforge or something similar lets you know which actual processes are creating outbound connections and you can also dump the strings on a process and then grep for things like wildcards (http://., etc)
Adam Shostack recently published a great read on why the phrase “X is Security 101” is a hindsight-focused and generally not very useful statement.
I completely agree with his point that people who are (or pretend to be) security experts need to do more than flippantly make this remark when discussing the latest security story. [I think this is part of a larger, symptomatic issue the InfoSec community has, but I’m still formulating enough thoughts on that to publish a post on it].
Mr. Shostack, at the (near) start of 2015, I would like to see your 101 list and raise you mine:
- Use two-factor authentication for each online service you make use of – at least the critical ones
- Never reuse passwords across online services.
- Corollary to the above: use a password manager like 1password, lastpass, or keepass
- Be careful what you post on Social Media
- Corollary to the above: always be sure your Social Media preferences block sharing with anyone other than your friends
- Always inspect links in e-mails – advice I’ve been following since at least 1996
What are your Security 101 items?