Hackin9
Samsung has introduced the Galaxy Note 8 tablet with an 8-inch display, adding a new screen size to its expanding lineup of Note products.
 

Im certain that something like this has happened to you. Youre at work/home/shopping and a friend/coworker/family-member asks/phones/sends-a-telegram to you basically stating: My computer is acting strangely, do you think I have a virus?

I had this happen this week so I asked: describe strange.

So they listed off some symptoms:


slow to boot

takes a while for the computer to catch up to what youre typing

cant get rid of this silly toolbar

password to (some service) is no longer working


Stop right there. I know what the problem is, youve got (fill-in-the-blank-banking/keylogging trojan,) so you need to rebuild you system.

Nows not a good time to do that. Is there anything else you can do?

Yes, but I dont recommend it.

What You Should Do

The correct response when suspecting a compromise like this on a non-enterprise device is to simply buy a new hardrive and an external enclosure for you old drive. Then install fresh, and migrate what you need from the old drive. Its time-consuming and a hassle (because people invariably install a bunch of things on their systems and forget passwords and license keys, etc.) But its the only way to be sure, and its non-enterprise equivalent to nuking-from-orbit.

What I Did

Becuase Im sensitive to the realities of life and the solution above does not fit all cases. I started off with a quick assessment of the device. Using Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) the slow boot problem was pretty obvious-- there were at least 3 different anti-virus programs running on the system and competing for resources.

Since we agreed that we werent going to seek prosecution on this incident, just clean it up and get it working again, I just dove into ripping out all of free/demo AV programs, and some of the other bloatware introduced by the manufacturer.

That fixed the performance issues on the next reboot. But how do we keep the machine safe? We picked one AV solution. Im a fan of defense-in-depth, but multiple AV programs is no defense-in-depth, its width... or something... anyway its not good. I also recommend an up-to-date browser and if you use Firefox I really, really recommend NoScript(http://noscript.net/), and healthy dose of paranoia when it comes to clicking on things.

Was the System Compromised or Just Over-protected?

So Im still left wondering if the system had an undetected infection, so I dropped a Redline collection agent (http://www.mandiant.com/resources/download/redline/) on the box to pull a comprehensive memory analysis. Before I run the capture, I open the browser and go to my banks website and I put in bad username/password pair, and then run the capture.

Golly that takes a while to run (about 2 hours on a 4Gb system, creating 6.5Gb of data.)

After plodding through with Redline and Volatility I havent uncovered anything yet... yet.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

CorreLog Announces Sponsorship of Infosec World Conference and Expo 2013 ...
San Francisco Chronicle
CorreLog, the leader in software solutions for IT security event correlation, today announced it has secured a sponsorship for Infosec, MIS Training Institute's (MISTI) flagship event for audit and information security training. With offices in the ...

and more »
 
In the week ending 23 February – frosty attacks on Android, the MinnowBoard, a possible return of the Vivaldi tablet, Canonical released a preview image of Ubuntu for mobile devices, Linux 3.8 was released and Steam for Linux arrived


 
Microsoft's Azure cloud platform faced a worldwide outage in its storage services from Friday afternoon because of an expired SSL (secure sockets layer) certificate.
 
Internet Storm Center Infocon Status