- Jun 16, 2014
- 781
There have now been two attacks on member accounts here, one confirmed another possible and it seems likely from analysing both cases that the cause was a local infection, that is a malicious file on the members computer has sent passwords to a remote server.
In light of this I've decided to present some simple security tips which if you follow and implement will dramatically reduce the risk of you being compromised.
Note that this especially applies to everyone downloading samples from the Virus Exchange and running them in sandboxie, virtualbox, virtual machine, comodo sandbox etc.
I will endeavour to keep this thread updated and correct any errors as soon as I'm notified of them.
General Security Measures:
* Don't store passwords on your computer!
Clicking the "Remember My Password" or "Save This Password" buttons in any browser be it IE, Firefox or Chrome etc will immediately increase your chances of being hacked ten fold. Because of the insecure way these passwords are stored, it is possible to decrypt the stored passwords to plain text with relative ease. No complicated tools are required and there are code snippets in every language from VB6 to C++. Your passwords will still be exposed, even if you are using sandboxie!
Solution: LastPass is a secure password manager which encrypts your passwords and stores them on the LastPass server instead of your own computer. The team have gone to great lengths to harden their server (and the protection guarding your passwords) and thus, all that is required is that you create and remember one secure password and LastPass will store all the others for you.
* Don't use weak or predictable passwords!
There is an awful lot of research available publically into the psychology of password creation and unsurprisingly this research is highly useful to hackers. To see how good your password creation skills are, think up a new password, and do it honestly. Don't deliberately create a password more complicated than you normally would or this won't work. Once you've got a password in mind (one that you don't use for anything else, nor plan to), turn the password into an MD5 hash here. Then copy and paste that hash into an online cracker such as HashKiller. If your password is displayed on the right hand side, that means a hacker could easily (and very quickly) decrypt your password from the encrypted form (the MD5 hash) which is stored on the websites you visit.
Solution: If you're using a service such as LastPass or another secure password manager then the best way to generate a secure password is to make one composed of a random sequence of upper and lower case letters, numbers and symbols. The Norton Secure Password Generator is one of many services that will do this for you. For extra security, I recommend adding additional characters or replacing letters or numbers etc with some of your own once you've generated the password. This means your password is unique to you, and ensures that the online service you're using is not simply generating passwords in a predictable way which could be used to crack your password at a later date.
* Don't rely on default settings!
This is a trap many of us fall into, we trust that the Firewall we download, the Sandbox we run untrusted programs in has been designed from the ground up to keep us safe and therefore we can use it right out of the box and be protected. The sad truth of the matter is that these products are simply not configured securely right out of the box due to the risks of false positives and creating a generally unpleasant experience for users. I disagree with this line of thinking but it's the unfortunate reality and we must learn to recondition our thinking so as to keep ourselves safe.
Solution: Check through the settings of your Firewall after you've read this post. Is there anything that looks suspicious? Look through the exclusions list, can you see any IP addresses or domain names you don't recognise? If so, copy down the address and Google it. If you can't find any information on it or you aren't sure what it is then delete it from the exclusions.
Some Firewalls allow you to use a whitelist only mode. In such a mode, the Firewall will only let specific applications access the internet, all other applications and processes will be denied access by default. One of the great advantages of this is that if you configure the Firewall so as only your browser has access to the internet (inbound & outbound connections), then if a trojan were to be downloaded onto your computer, even though it might slip past undetected, it won't be able to connect to the internet. If you use software such as feed aggregators or a weather widget for example, you can configure these just to receive connections, not to allow outbound connections. This is one of the most important rules of security: Give as few permissions as possible (only the minimum required to work).
* Sandboxie Configuration Tips
* Deny access to folders (see here).
Navigate to the following tab on the Sandboxie settings menu. SandBoxie Settings > Resource Access > File Access > Blocked Access and deny access to the following folders (feel free to add your own too):
* %APPDATA%\Microsoft\Credentials
* %APPDATA%\Roaming\Microsoft\Credentials\
* %APPDATA%\Local\Microsoft\Credentials\
* %APPDATA%\Roaming\Mozilla\Firefox\Profiles
* %APPDATA%\Mozilla\Firefox\Profiles
* %APPDATA%\Local\Google\Chrome\User Data\Default
* %APPDATA%\Moonchild Productions\Pale Moon
* C:\Windows\Application Data\Mozilla\Firefox\Profiles
* C:\Windows\Profiles\<Your account name>\Application Data\Mozilla\Firefox\Profiles
* %DOCUMENTS%\<Your account name>\My Documents
* %DOCUMENTS%\<Your account name>\My Pictures
* %DOCUMENTS%\<Your account name>\My Music
* %DOCUMENTS%\<Your account name>\Downloads
* %DOCUMENTS%\Shared (Windows XP and below)
* %DOCUMENTS%\Public (Windows Visa & above)
* Deny access to registry keys (see here).
Navigate to the following tab on the Sandboxie settings menu. SandBoxie Settings > Resource Access > Registry Access > Blocked Access and deny access to the following folders (feel free to add your own too):
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
* HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
* Restrict Internet Access (see here)
Navigate to Sandboxie Settings > Restrictions > Internet Access and review the programs allowed unrestricted internet access in the sandbox. Sandboxie unfortunately does not allow you to choose whether to allow inbound or outbound only connections so the securest setting here is to carefully select the programs you wish to have access to the internet. Remove the setting "Allow all programs to access the internet" and simply add the individual programs you wish to have access, for example your web browser. Note: It is very unwise to allow an unknown file access to the internet if the sandboxie is running on your normal computer (and not a specific test machine). You should at least conduct static analysis first, for example by extracting a list of strings to look for URLs the file might connect to (you can then consider downloading these manually). For all you know, the file could be a remote administration tool, allowing a hacker access into your sandboxie (and your computer), or it could well send back your data.
* Drop Rights
Ensure that this box is not checked.
* Low Level Access
All of these options should be left unchecked, with the possible exception in very specific and controlled circumstances of "Permit programs in this sandbox to load application (Win32) hooks into other programs" If you don't know what this means, please leave it disabled as it poses a very high security risk (an application running in the sandbox may gain access to a process running outside of the sandbox giving access to your unprotected computer.
* Hardware Access
Again these options should be left unchecked. Unless you are testing a piece of AutoIt malware which requires control of your mouse and/or keyboard as part of it's payload then there is next to no reason why you would need these options checked under ordinary analysis circumstances.
* More sandboxie safety settings will be added soon. Common sense will get you a long way however
* Comodo Sandbox Configuration Tips
* Application Paths
Navigate to the Comodo Sandbox menu at Tasks > Sandbox Tasks > Open Advanced Settings > Security Settings > Defense+ > Sandbox and review the list of programs configured to automatically run in the Sandbox. Ensure that all of the programs here are set to "Full Virtualised" under the Restriction Level column. This will ensure complete separation between your computer and the program that is running. It is unwise to allow unknown files to run in anything other than Fully Virtualised mode.
* Do not virtualise access to the specified files/folders
Ensure this option is not checked and click the blue text to open the "Manage Exceptions" menu. Ensure there are no files or folders listed here as any sandboxed process will have direct access to these.
* Do not virtualize access to the specified registry keys/values
Ensure this option is not checked and click the blue text to open the "Manage Exceptions" menu. Ensure there are no registry listed here as any sandboxed process will have direct access to these.
* Enable automatic startup for services installed in the sandbox
Uncheck this option.
* Protect Virtual Kiosk with a password
This option allows you to set a password which must be entered before the sandbox can be closed. I thoroughly recommend doing this. Click the word "password" to set the password, see the above notes on choosing a secure password.
* Protect data folders and registry keys
See here for instructions. Ensure that all folders and registry keys listed above under "Sandboxie" are blocked from processes running in the sandbox.
As I said earlier, I will aim to update this guide regularly to cover the existing programs better and add other programs as well (vmware/virtualbox coming soon). The truth is no guide will protect you from getting infected, only your actions will. This guide cannot stop you from running the file that will steal your passwords and lead to your email account being hacked. Neither can it protect you from a badly configured sandbox which results in your files being encrypted by ransomware. If I hope you have taken away anything from this short guide, it's that good security is a carefully planned process not a series of one click installs.
Thanks for reading
Version 2. Thank you to @Ignacio for spotting two important errors!
In light of this I've decided to present some simple security tips which if you follow and implement will dramatically reduce the risk of you being compromised.
Note that this especially applies to everyone downloading samples from the Virus Exchange and running them in sandboxie, virtualbox, virtual machine, comodo sandbox etc.
I will endeavour to keep this thread updated and correct any errors as soon as I'm notified of them.
General Security Measures:
* Don't store passwords on your computer!
Clicking the "Remember My Password" or "Save This Password" buttons in any browser be it IE, Firefox or Chrome etc will immediately increase your chances of being hacked ten fold. Because of the insecure way these passwords are stored, it is possible to decrypt the stored passwords to plain text with relative ease. No complicated tools are required and there are code snippets in every language from VB6 to C++. Your passwords will still be exposed, even if you are using sandboxie!
Solution: LastPass is a secure password manager which encrypts your passwords and stores them on the LastPass server instead of your own computer. The team have gone to great lengths to harden their server (and the protection guarding your passwords) and thus, all that is required is that you create and remember one secure password and LastPass will store all the others for you.
* Don't use weak or predictable passwords!
There is an awful lot of research available publically into the psychology of password creation and unsurprisingly this research is highly useful to hackers. To see how good your password creation skills are, think up a new password, and do it honestly. Don't deliberately create a password more complicated than you normally would or this won't work. Once you've got a password in mind (one that you don't use for anything else, nor plan to), turn the password into an MD5 hash here. Then copy and paste that hash into an online cracker such as HashKiller. If your password is displayed on the right hand side, that means a hacker could easily (and very quickly) decrypt your password from the encrypted form (the MD5 hash) which is stored on the websites you visit.
Solution: If you're using a service such as LastPass or another secure password manager then the best way to generate a secure password is to make one composed of a random sequence of upper and lower case letters, numbers and symbols. The Norton Secure Password Generator is one of many services that will do this for you. For extra security, I recommend adding additional characters or replacing letters or numbers etc with some of your own once you've generated the password. This means your password is unique to you, and ensures that the online service you're using is not simply generating passwords in a predictable way which could be used to crack your password at a later date.
* Don't rely on default settings!
This is a trap many of us fall into, we trust that the Firewall we download, the Sandbox we run untrusted programs in has been designed from the ground up to keep us safe and therefore we can use it right out of the box and be protected. The sad truth of the matter is that these products are simply not configured securely right out of the box due to the risks of false positives and creating a generally unpleasant experience for users. I disagree with this line of thinking but it's the unfortunate reality and we must learn to recondition our thinking so as to keep ourselves safe.
Solution: Check through the settings of your Firewall after you've read this post. Is there anything that looks suspicious? Look through the exclusions list, can you see any IP addresses or domain names you don't recognise? If so, copy down the address and Google it. If you can't find any information on it or you aren't sure what it is then delete it from the exclusions.
Some Firewalls allow you to use a whitelist only mode. In such a mode, the Firewall will only let specific applications access the internet, all other applications and processes will be denied access by default. One of the great advantages of this is that if you configure the Firewall so as only your browser has access to the internet (inbound & outbound connections), then if a trojan were to be downloaded onto your computer, even though it might slip past undetected, it won't be able to connect to the internet. If you use software such as feed aggregators or a weather widget for example, you can configure these just to receive connections, not to allow outbound connections. This is one of the most important rules of security: Give as few permissions as possible (only the minimum required to work).
* Sandboxie Configuration Tips
* Deny access to folders (see here).
Navigate to the following tab on the Sandboxie settings menu. SandBoxie Settings > Resource Access > File Access > Blocked Access and deny access to the following folders (feel free to add your own too):
* %APPDATA%\Microsoft\Credentials
* %APPDATA%\Roaming\Microsoft\Credentials\
* %APPDATA%\Local\Microsoft\Credentials\
* %APPDATA%\Roaming\Mozilla\Firefox\Profiles
* %APPDATA%\Mozilla\Firefox\Profiles
* %APPDATA%\Local\Google\Chrome\User Data\Default
* %APPDATA%\Moonchild Productions\Pale Moon
* C:\Windows\Application Data\Mozilla\Firefox\Profiles
* C:\Windows\Profiles\<Your account name>\Application Data\Mozilla\Firefox\Profiles
* %DOCUMENTS%\<Your account name>\My Documents
* %DOCUMENTS%\<Your account name>\My Pictures
* %DOCUMENTS%\<Your account name>\My Music
* %DOCUMENTS%\<Your account name>\Downloads
* %DOCUMENTS%\Shared (Windows XP and below)
* %DOCUMENTS%\Public (Windows Visa & above)
* Deny access to registry keys (see here).
Navigate to the following tab on the Sandboxie settings menu. SandBoxie Settings > Resource Access > Registry Access > Blocked Access and deny access to the following folders (feel free to add your own too):
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
* HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
* Restrict Internet Access (see here)
Navigate to Sandboxie Settings > Restrictions > Internet Access and review the programs allowed unrestricted internet access in the sandbox. Sandboxie unfortunately does not allow you to choose whether to allow inbound or outbound only connections so the securest setting here is to carefully select the programs you wish to have access to the internet. Remove the setting "Allow all programs to access the internet" and simply add the individual programs you wish to have access, for example your web browser. Note: It is very unwise to allow an unknown file access to the internet if the sandboxie is running on your normal computer (and not a specific test machine). You should at least conduct static analysis first, for example by extracting a list of strings to look for URLs the file might connect to (you can then consider downloading these manually). For all you know, the file could be a remote administration tool, allowing a hacker access into your sandboxie (and your computer), or it could well send back your data.
* Drop Rights
Ensure that this box is not checked.
* Low Level Access
All of these options should be left unchecked, with the possible exception in very specific and controlled circumstances of "Permit programs in this sandbox to load application (Win32) hooks into other programs" If you don't know what this means, please leave it disabled as it poses a very high security risk (an application running in the sandbox may gain access to a process running outside of the sandbox giving access to your unprotected computer.
* Hardware Access
Again these options should be left unchecked. Unless you are testing a piece of AutoIt malware which requires control of your mouse and/or keyboard as part of it's payload then there is next to no reason why you would need these options checked under ordinary analysis circumstances.
* More sandboxie safety settings will be added soon. Common sense will get you a long way however
* Comodo Sandbox Configuration Tips
* Application Paths
Navigate to the Comodo Sandbox menu at Tasks > Sandbox Tasks > Open Advanced Settings > Security Settings > Defense+ > Sandbox and review the list of programs configured to automatically run in the Sandbox. Ensure that all of the programs here are set to "Full Virtualised" under the Restriction Level column. This will ensure complete separation between your computer and the program that is running. It is unwise to allow unknown files to run in anything other than Fully Virtualised mode.
* Do not virtualise access to the specified files/folders
Ensure this option is not checked and click the blue text to open the "Manage Exceptions" menu. Ensure there are no files or folders listed here as any sandboxed process will have direct access to these.
* Do not virtualize access to the specified registry keys/values
Ensure this option is not checked and click the blue text to open the "Manage Exceptions" menu. Ensure there are no registry listed here as any sandboxed process will have direct access to these.
* Enable automatic startup for services installed in the sandbox
Uncheck this option.
* Protect Virtual Kiosk with a password
This option allows you to set a password which must be entered before the sandbox can be closed. I thoroughly recommend doing this. Click the word "password" to set the password, see the above notes on choosing a secure password.
* Protect data folders and registry keys
See here for instructions. Ensure that all folders and registry keys listed above under "Sandboxie" are blocked from processes running in the sandbox.
As I said earlier, I will aim to update this guide regularly to cover the existing programs better and add other programs as well (vmware/virtualbox coming soon). The truth is no guide will protect you from getting infected, only your actions will. This guide cannot stop you from running the file that will steal your passwords and lead to your email account being hacked. Neither can it protect you from a badly configured sandbox which results in your files being encrypted by ransomware. If I hope you have taken away anything from this short guide, it's that good security is a carefully planned process not a series of one click installs.
Thanks for reading
Version 2. Thank you to @Ignacio for spotting two important errors!
Last edited: