Re: Spyware assessment techniques

From: Packet Man (packetman@altsec.info)
Date: Fri Feb 10 2006 - 15:57:01 EST

• Next message: Paul Halliday: "Re: Deep Freeze"
• Previous message: Brian Rectanus: "Re: sql injection: url or form based?"
• In reply to: Derek Nash: "Spyware assessment techniques"
• Next in thread: Paul Halliday: "Re: Spyware assessment techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Derek Nash wrote:

> Recently I have begun to consider including data from a web usage
> analysis tool that has the ability to identify spyware downloads and
> phone home attempts to augment these manual efforts. I am wondering
> what others are doing in regards to spyware assessments and if anyone
> is aware a spyware "network scanner" that would allow me to look at a
> larger sampling of hosts on a network during these assessments.

My last intensive research into this seemed to indicate that
Sunbelt Software's "Counterspy", and I found it quite effective
in installations at my former day job.

Here's a comparison review:

http://www.consumersearch.com/www/software/anti-spyware-reviews/index.html

Overall though, I think that "true" detection of any unauthorized
software boils down to three things:

1. Intensive audit of the system(s) (HIDS)
2. Network monitoring (NIDS, Sniffing)
3. Audit logs of the systems themselves

While use of products such as Counterspy are invaluable in
protection of hosts, they are inherently "reactionary" and
rely on detection techniques that are always going to be a
jump behind the leading edge attackers.

Therefore, I rely on a HIDS such as Osiris to do frequent
sweeps of the hosts critical files.

Then, I install a central logging client such as "Snare"
on the Windows hosts, and have ALL systems in the network
log to a tightly secured, central logging host. Those logs
are frequently scanned and analyzed.

Further, I use snort and firewall logs to keep track of
who is connecting to whom on what port. Those logs are
frequently correlated and analyzed as well.

One thing that helps much is to force browsing through a
proxy, such as Squid or its commercial equivalents.

I hope this helps.

-- 
Excellence in InfoSec and Linux
http://www.altsec.info
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Paul Halliday: "Re: Deep Freeze"
• Previous message: Brian Rectanus: "Re: sql injection: url or form based?"
• In reply to: Derek Nash: "Spyware assessment techniques"
• Next in thread: Paul Halliday: "Re: Spyware assessment techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:30 EDT