Security Basics mailing list archives
RE: Spyware
From: geraldf () westernsaw com
Date: Wed, 15 Dec 2004 15:48:37 -0800
Hi, Matt; Sorry, that is not a good proposed solution because many spyware programs use port redirectors. They are set to communicate on a high undedicated port, but they are programmed to pass their packets to, say, port 80, 25, etc as they "phone home" through the firewall to the internet. Once they reach their destination IP, they shift the packets back up to the high undedicated port for a proper socket connection. Let me know if you come up with anything to stop this flow. I have looked at application-level monitoring programs to see if they can stop this flow, but no luck so far. Its cheaper and far less overhead just to prevent or search and destroy. http://www.foundstone.com/ has good info on port redirectors. Gerald -----Original Message----- From: Matt Stern [mailto:sternm () comprehensive com] Sent: Tuesday, December 14, 2004 2:38 PM To: security-basics () lists securityfocus com Subject: Spyware WYB! processed these attachments: Removed: OriginalMessage.rtf Removed: OriginalMessage.htm ----- Hello all: I was just wondering if spyware sends its answers "back home" on any particular TCP or UDP port. If so, then couldn't I doubly safeguard the LAN (after trying to keep all the spyware off the workstations) by disallowing outbound communications via the firewall, for those ports? Or conversely, instead of allowing all outbound traffic, only allow the usual ports, such as 80, 443, 23, etc? Thanks. -- Matthew H. Stern, CCP/CDP, sternm () comprehensive com Serving the IT industry since 1976 Comprehensive Computer Services Inc. www.comprehensive.com Phone: 631 755-2250, Fax 755-2254 560 Broad Hollow Road, Melville NY 11747
Current thread:
- Spyware Matt Stern (Dec 15)
- Re: Spyware dallas jordan (Dec 16)
- Re: Spyware Liran Cohen (Dec 16)
- Re: Spyware Jon Lawhead (Dec 16)
- <Possible follow-ups>
- RE: Spyware Gross Barry D. (Dec 16)
- RE: Spyware Jeff Gercken (Dec 16)
- RE: Spyware Griffin, Van (Dec 16)
- RE: Spyware Friend, Jason A Contractor/CoTs (Dec 16)
- RE: Spyware geraldf (Dec 16)
- RE: Spyware Paris E. Stone (Dec 17)