Educause Security Discussion mailing list archives
Re: Spyware, trojans and keyboard loggers?
From: "Edwards, Francis" <Francis.Edwards () MONTGOMERYCOLLEGE EDU>
Date: Mon, 26 Jul 2004 15:02:02 -0400
Jim, NAI/McAfee is set to release version 8.0i of VirusScan Enterprise in mid-August. (It's been delayed a few weeks to work out some items discovered during beta testing.) Coupled with their ePO management system, looks like it will do what you're asking about. See http://www.mcafeesecurity.com/us/products/mcafee/antivirus/desktop/vs.ht m In addition to automatically handling a list of spyware and other 'unwanted' software, they say "administrators can even define a custom list of company-specific unwanted programs...[to] alert, clean, remove, and quarantine..." Francis Edwards, CISSP CCP Manager, IT Security Montgomery College Office of Information Technology 7362 Calhoun Place Rockville, MD 20855-2759 240/314-3091 Francis.Edwards () montgomerycollege edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James Moore Sent: Monday, July 26, 2004 1:23 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Spyware, trojans and keyboard loggers? We are creating a "desktop security standard" and want to include protection against spyware and keystroke loggers. I am trying to get good coverage. I had anticipated that the big A/V vendors would have swallowed up anti - spyware/backdoors/keyloggers by now. But it seems that they haven't. In fact some are producing their own anti-spyware -- e.g. NAI/McAfee. Some vendors, like SpyCop claim that most "keystroke logger" protection doesn't cover 1) the commercial/shareware keyloggers and 2) nearly as many as they do. I am looking to get to the bottom line, which is coverage, in conjunction with clarity (i.e. it doesn't come with a 368 page manual that users are expected to read. It also doesn't come with simple 2 step instructions, the first of which is "get a MS in computer science). Any advice? Sample desktop security standards? Thinking ahead to server security ... Any advice? Sample server security standards? Thanks, - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Office: 585-475-5406 Lab: 585-475-4122 Fax: 585-475-7950 "In the middle of difficulty lies opportunity." Albert Einstein "The release of new internet threats have not created a new problem. It has merely made more urgent the necessity of solving an existing one." Parallels quote by Albert Einstein on atomic energy
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jordan Wiens Sent: Wednesday, July 21, 2004 2:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] keyboard logger? On Wed, 21 Jul 2004, Mark Wilson wrote:Has anyone heard of a keyboard logger keykb.exe (167kb) ? A compliment program may be named bkyek.ni (211 kb). Anyinformation onthis is appreciated. I am not that experienced inevaluating malwareso any other tips on obtaining information about malware may help.The keykb.exe is detected as the following: Clamscan: Trojan.Spy.Agent.P F-secure: TrojanSpy.Win32.Agent.p [AVP] (f-secure just uses kav to detect it in this case) Dr. Web: Trojan.Virtumod Kaspersky: TrojanSpy.Win32.Agent.p RAV: TrojanSpy/Win32.Agent.P You can try searching for more info from those AV vendor sites. It's UPX packed (thanks Kaspersky). Here's some selected strings for fun: http://203.199.200.61/ :AttachThreadInput POST HTTP/1.1 g_PopupPerDay g_ServerIPs g_Upgrade c:\Projects\GatorClone\GatorClone\Release\GatorClone.pdb Copyright (c) 1992-2001 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED. c:\Projects\GatorClone\KillHook\Release\KillHook.pdb The other ini file is either encrypted or compressed, doesn't contain any strings, or some combination of those, and doesn't have a format I can guess at by glancing through it. Quick and Dirty General Malware Analysis Tutorial: -------------------------------------------------- For easy and effective malware analysis, get a copy of vmware (30 day free versions available, but it's well worth the cost if you can get your university to buy a copy) and load it up with: http://www.sysinternals.com/ntw2k/source/filemon.shtml http://www.sysinternals.com/ntw2k/freeware/pmon.shtml http://www.sysinternals.com/ntw2k/freeware/procexp.shtml http://www.sysinternals.com/ntw2k/source/regmon.shtml Along with a good sniffer (ethereal is hard to beat: http://www.ethereal.com/) and depending on your level of guts, run it in the vmware environment with the network off or on and monitor what it does. Make sure to save a snapshot of your vmware image after you've set it up before infection so you can reset it to a clean state immediately afterwards. On the linux side of things, there are a number of anti-virus programs you can purchase and get for free that you can script together to scan malware automatically. That and the file and strings command are essential as well (for windows equivalents try: http://www.sysinternals.com/ntw2k/source/misc.shtml#strings http://gnuwin32.sourceforge.net) Windows users could try the same assuming they were able to get the command-line scanners of the anti-virus softwares installed and scripted together as well. Alternatively, check out virustotal which does most of the hard work for you: http://www.virustotal.com. One of the few downsides to virustotal is they don't report of the packing information that (for example) Dr. Webb and Kaspersky report which can be essential to unpacking and examining malware. For those who really want to dig deep, get a good disassembler/debugger in your vmware image as well. I'd highly recommend Ollydbg (though there was a recent exploit announced in it, but that's why we're running it in our vmware image anyway, right? We're already planning on running malware, so that shouldn't be that much of a problem other than the fact that Ollydbg can't debug code specifically built to exploit it): http://home.t-online.de/home/Ollydbg/ though many people like the commercial products SoftIce and IDA Pro. -- Jordan Wiens, CISSP UF Network Security Engineer (352)392-2061 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Spyware, trojans and keyboard loggers? James Moore (Jul 26)
- <Possible follow-ups>
- Re: Spyware, trojans and keyboard loggers? Gary Flynn (Jul 26)
- Re: Spyware, trojans and keyboard loggers? Edwards, Francis (Jul 26)