Re: Spyware assessment techniques

[Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>]

Butler, Theodore wrote:
> A companion question,  what if you had to do this from a command line?
> How would it be done without the spyware tools?

My advise based on some experience with bots/adware:

- Look at the running processes and identify unusual entries
- Similarly, take a look at all the run keys in the registry (autostart
for malware)
- Look for suspicious files in C:\, C:\%windir%, C:\%windir%\system32

With this information, you can find the most obvious ones. With more
stealth malware (hiding with the help of rootkits), you can look for
suspicious drivers, but a good installation will hide itself so that it
can't be detected from the command line.

> From a network point of view, look for suspicious connections at the
gateway (netflow helps here). Identify unusual flows, use of unusual
ports used for Command & Control, recurring patterns, ... Perhaps you
can also use ngrep to search for suspicious network communication.

Just my 0.02 cent,
  Thorsten

-- 
http://honeyblog.org


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------