Security Basics mailing list archives
re: Adware, spyware, and trojans
From: H C <keydet89 () yahoo com>
Date: Mon, 9 Dec 2002 08:50:46 -0800 (PST)
Courtney,
he writes that most antivirus software does not
detect
spyware, which was a shock to me. Spyware seems to be defined as software that logs keystrokes, screenshots, user actions, etc.
Don't get caught up in semantics. What might be better to do is visit the various A/V sites, and see how *they* define these particular items.
1. What's the distinction between spyware, adware, and trojan software?
As you've probably seen by now, you've gotten several responses from people who are telling you what *they* think the distinctions are...in fact, one response posted to the list even states that "It's simple trojan is a virus". Hardly! Best to check your A/V site...the company that makes the product and see what they say. But for the most part, Trojans and viruses are different forms of malware, as their definitions clearly show.
(My antivirus software says it protects against Trojans, and I've seen programs
like
SubSeven in its log files.)
What does this mean? In what capacity or context have you seen "SubSeven" in your A/V logs? Did the trojan come in via an email attachment and was quarantined?
2. Is there any good software that detects and removes spyware, ideally controlled and updated continuously from a central server?
Sure is...AdAware, which I've seen has been recommended several times.
SpyWare is a software (usually) which wait a special actions (for examp. key press, mouse move,
filework). This is most likely a matter of interpretation. For example, things like iMesh install spyware, in particular things like Ezula TopText. TopText is spyware in the sense that it reads through web pages that your browser is downloading, and adds dynamic links to the HTML based on keywords. These links will point you to the Ezula customer's site, if you click on them. Other forms of spyware have watched what pages the user requests, and keeps track of how long they take to download to the system. Usually, "spyware" that specifically watches keystrokes will be referred to specifically as a "keylogger" or "keystroke monitor". This is pretty much what Frederick pointed out, and what I'd fully agree with. I have no idea what "filework" refers to...
unfortunately it must be run on each computer individually (as opposed to a server) and doesn't allow much room for automation...
Welcome to the world of free-/shareware! The necessary level of automation that you require is likely to be found in a commercial product. However, another way to approach it would be to use a combination of freeware tools, such as Perl, pslist.exe from SysInternals, etc, to dump the process list from remote machines, and compare the output to a list of "known good" processes. This would work pretty well for the spyware, but not for Trojans that are truly configured for malicious purposes (though it would work against 99% of the kiddies who make no configuration changes at all to the basic Trojan server setup).
maybe scanning for established connections on ports used as the default for some well-known trojans, something like that.
A combination of personal firewalls and A/V, or simply running FoundStone's fport.exe (via SysInternal's psexec.exe) would work. Launch psexec/fport via Perl, and parse the output. One example of this can be found at http://patriot.net/~carvdawg/perl.html. Look for procdmp.pl. This script takes the output of 5 tools and parses them into output seen at http://patriot.net/~carvdawg/pd.html. That way, with a quick, easy glance, you can spot potential spyware and Trojans.
As far as I know, antivirus software doesn't do
this. There's a lot that A/V doesn't do. It doesn't (for the most part) scan NTFS alternate data streams (for more info on ADSs, http://patriot.net/~carvdawg/docs/dark_side.html). It doesn't scan the Registry...segments of (or entire) applications can be hidden in the Registry for use at a later date.
you can simply "Google" each topic you want
to learn about... The problem with this is the credibility issue. Some of what pops up on Google might be from the poster who said Trojans are viruses. If you're curious about what a particular A/V product considers to be a "Trojan" or "spyware", check the site. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Current thread:
- Re: Adware, spyware, and trojans, (continued)
- Re: Adware, spyware, and trojans Chris Berry (Dec 06)
- RE: Adware, spyware, and trojans Garbrecht, Frederick (Dec 06)
- RE: Adware, spyware, and trojans Carere, Courtney (Dec 06)
- Re: Adware, spyware, and trojans Gene (Dec 09)
- Re: Adware, spyware, and trojans Paul (Dec 06)
- RE: Adware, spyware, and trojans Mike Cole (Dec 06)
- RE: Adware, spyware, and trojans Peter Mueller (Dec 06)
- Re: Adware, spyware, and trojans KoRe MeLtDoWn (Dec 06)
- RE: Adware, spyware, and trojans Bruce.Orcutt (Dec 09)
- Re: Adware, spyware, and trojans Mr Babak Memari (Dec 09)
- re: Adware, spyware, and trojans H C (Dec 09)
- SV: Adware, spyware, and trojans Edlund, Linnea (Dec 09)
- RE: Adware, spyware, and trojans Ron Yorgason (Dec 10)
- RE: Adware, spyware, and trojans BRAD GRIFFIN (Dec 10)
- RE: Adware, spyware, and trojans Andy Streule (Dec 10)