so, as a great addition to my last post, today i come to find i have a malware issue on my windows box... blargh... glad i caught it...
it is a tad embarrassing, and i haven't had time yet to do an in-depth analysis to try to determine the extent of the damage. i've taken the basic steps to stop the bleeding, changed my passwords, and all of that... i've got a damn win box because i game, and then i get all lazy and use it for other things even though i have a perfectly capable nix box...
anyway, i know other sec profesionals who i respect who've been owned, so i'm tryin not to let it get me down... who knows if it'll ever come back to haunt me or not... anyway, i'm trying to use it as motivation to improve my setup at home, as well as some of my usage habits... part of the problem is that i do tech all day, and when i get home i'd just rather wrench on things or work on the house or play games... obviously that doesn't cut it, and i need to put in the time to make sure i'm covering my bases at home like i do every day at work... bleh bleh bleh... ><
anyway, here's why this reinforces my point. it looks like this thing came in over layer 7. despite not having the perfect setup, i think i probably do more than the avg user. my win box auto patches and auto reboots. i run av and anti-malware tools. i run no-script in firefox and try to be careful where i go and what i click. and my box still gets owned. imo, this doesn't bode well for the average user.
the very minor preliminary research i've done leads me to lean towards punkbuster running on CoD (the original) being the vector. the things i see correlate to a bit back when i was playing a game and 2 guys started chatting about stuff that made my ears perk-up in game... i wish i could remember what they said. anyway, they said something indicating they were about to do something, and then the server we're playin on hoses up. my box starts actin funky, so i kill the connection and bounce my box. i didn't dig any deeper than that at the time (just call me retardo).
anyway, cursory digging and i come to find that punkbuster has a slight history of vulnerabilities. There is a guy out there who apparently vigorously exploring this app... anyway, it sucks b/c from my understanding, pb runs at a really low level in order to be able to detect cheating. you've gotta be admin to run it, last time i checked (admitedly, a couple years ago), and apparently their app is coded like crap... sigh...
but yea... so none of my security steps kept pb up to date, and it looks like mb that's how i got popped... for what it's worth, running vista might've afforded me some protection b/c it has a better security model than xp, but i'm not even interested in messin w/ vista... from now on, my win box will only be for games, and i'm not gonna do anything else w/ it, and i'm not gonna give it connectivity to data and resources on other machines...
anyway, i'll post if i ever manage to dig any useful information from the traffic captures and forensics i've got on the pwnt box. i'm putting that stuff off at least a weak due to work and RW deadlines and pressures.
i'm thinking about writing an app to crawl vulnerability lists grepping for keywords of software that i run... i wonder if that already exists...
Subscribe to:
Post Comments (Atom)
1 comment:
You got punked by PB! HA!
Post a Comment