RE: Win32 Cisco Exploit

["Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Michael Scheidell
> Sent: Thursday, 24 July 2003 11:09 p.m.
> To: Leif Sawyer
> Cc: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Win32 Cisco Exploit
>
> Sometimes we run things like this on our 'judas goat' computer.
> Not only is it not on our corporate network, but uses a different internet
> provider.
>
> We have sniffer^h^h^h^h^h^h^h snorter on it to watch the traffic.
>
> We run full sysdifs before and after, and just to be double paranoid, put
> the ghost image back on afterwards..  Don't forget to lock out the flash
> bios update on the computer. 

For these "suspicious" binaries, I'd always suggest running them on an
isolated computer (as you already do).

Also, there is a very nice utility Roxio (now Symantec?) makes called GoBack
which allows you to trace exactly what a process did and revert to the
previous state.
I've been using it to test various viruses and worms as it will print very
nicely absolutely everything that happened.

You might want to check it on:

http://www.symantec.com/goback/

Regards,

Bojan Zdrnja

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html