Re: Windows Bot/Trojan/Backdoor scanner

[Andrew Hecox <ahecox () uchicago edu>]

On Sun, 14 Sep 2003, Markus Rossi wrote:

>
<snip>
>

Thanks for the info so far- although I should have been more explicit
initially. The machines in question have already been pulled for the
network because they are exhibiting suspicious network activity as
determined by a vulnerability scan or analysis of their outgoing traffic.

For administratively controlled machines (depending on the administrating
group) we have centrally controlled client-side firewalls, plus selective  
port blocking at the network gateway.

The problem is that not every machines is capable of being centrally
controlled (several thousand are not). So when something like
lovsan/msblast hits the network, we might have a couple of hundred
machines compromised in such as way that they may have a backdoor
installed. Currently, our policy is to re-format these machines before
they are allowed back on the network since we do not know what might be
installed during the time-period where they were open to the 
world. However, if we could realistically minimize the possibility that
any software was installed, simply cleaning the infection and patching any
holes, would be preferable and a significant resource saver.

The key seems to be finding the right tools or set of tools to make sure
the system does not have an additional backdoor software installed, not
necessary with 100% accuracy but with a very high percentage (say, 95%
or better)?

-cheers!

Andrew


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------