RE: Spyware

[geraldf () westernsaw com]

Hi, Matt;

Sorry, that is not a good proposed solution because many spyware programs
use port redirectors.  They are set to communicate on a high undedicated
port, but they are programmed to pass their packets to, say, port 80, 25,
etc as they "phone home" through the firewall to the internet.  Once they
reach their destination IP, they shift the packets back up to the high
undedicated port for a proper socket connection.

Let me know if you come up with anything to stop this flow.  I have looked
at application-level monitoring programs to see if they can stop this flow,
but no luck so far.  Its cheaper and far less overhead just to prevent or
search and destroy.

http://www.foundstone.com/ has good info on port redirectors.

Gerald 

-----Original Message-----
From: Matt Stern [mailto:sternm () comprehensive com] 
Sent: Tuesday, December 14, 2004 2:38 PM
To: security-basics () lists securityfocus com
Subject: Spyware

WYB! processed these attachments:
Removed: OriginalMessage.rtf
Removed: OriginalMessage.htm
-----

Hello all: 

I was just wondering if spyware sends its answers "back home" on any
particular TCP or UDP port.  If so, then couldn't I doubly safeguard the LAN
(after trying to keep all the spyware off the workstations) by disallowing
outbound communications via the firewall, for those ports? 
 Or conversely, instead of allowing all outbound traffic, only allow the
usual ports, such as 80, 443, 23, etc? 

Thanks. 

--
Matthew H. Stern, CCP/CDP, sternm () comprehensive com Serving the IT industry
since 1976 Comprehensive Computer Services Inc. 
www.comprehensive.com
Phone: 631 755-2250, Fax 755-2254
560 Broad Hollow Road, Melville NY 11747