RE: Spy ware assessment techniques

From: jseitz@crossflux.com
Date: Sat Feb 11 2006 - 14:32:52 EST

• Next message: Sahir Hidayatullah: "RE: Windows equivalent of TCP Replay?"
• Previous message: thomas springer: "Re: Programming skills for Pen Testers"
• In reply to: Terry Vernon: "RE: Spy ware assessment techniques"
• Next in thread: Eric Schultze: "Re: Spyware assessment techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The other thing to be aware of if you are suspecting spyware/rootkit
activity, is to close everything on your system and for 24 hours do an
ethereal capture on your machine. With the newest covert channels that are
being used it wouldn't be surprising to see basic one-way communication
occuring (i.e. at 3:00 am when you are sleeping, your computer is sending
requests to google.com, with the source address faked, Google.com is going
to replay the response to the attackers machine). It will be obvious to
you though what is occuring.

JS

> Some of the things I look for when I suspect spy ware and it isn't
> straight
> forward about its presence are network connections. Apart from how Windows
> is by nature the noisiest Operating System on earth on a network, you can
> use a connection monitor either at the host or over the wire to look for
> connections made to odd addresses that weren't initiated knowingly. Try
> pointing the browser at a location void of banner ads and see if any
> "other"
> connections are made to spy ware reporting engines as browser add-ins are
> the most common spy ware.
>
> Sounds like one of us with spare time should go on a warez and pr0n site
> clicking spree with another clean computer doing some ethereal watching.
> Maybe there can be some Snort signatures written for the whole world to
> benefit.
>
> -Terry
>
>
> -----Original Message-----
> From: Thorsten Holz [mailto:thorsten.holz@mmweg.rwth-aachen.de]
> Sent: Friday, February 10, 2006 1:18 PM
> Cc: pen-test@securityfocus.com
> Subject: Re: Spyware assessment techniques
>
> Butler, Theodore wrote:
>> A companion question, what if you had to do this from a command line?
>> How would it be done without the spyware tools?
>
> My advise based on some experience with bots/adware:
>
> - Look at the running processes and identify unusual entries
> - Similarly, take a look at all the run keys in the registry (autostart
> for malware)
> - Look for suspicious files in C:\, C:\%windir%, C:\%windir%\system32
>
> With this information, you can find the most obvious ones. With more
> stealth malware (hiding with the help of rootkits), you can look for
> suspicious drivers, but a good installation will hide itself so that it
> can't be detected from the command line.
>
> From a network point of view, look for suspicious connections at the
> gateway (netflow helps here). Identify unusual flows, use of unusual
> ports used for Command & Control, recurring patterns, ... Perhaps you
> can also use ngrep to search for suspicious network communication.
>
> Just my 0.02 cent,
> Thorsten
>
> --
> http://honeyblog.org
>
>
> ----------------------------------------------------------------------------
> --
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
>
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers
> do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------------
> ---
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Sahir Hidayatullah: "RE: Windows equivalent of TCP Replay?"
• Previous message: thomas springer: "Re: Programming skills for Pen Testers"
• In reply to: Terry Vernon: "RE: Spy ware assessment techniques"
• Next in thread: Eric Schultze: "Re: Spyware assessment techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:30 EDT