Penetration Testing mailing list archives
RE: Spy ware assessment techniques
From: "Terry Vernon" <tvernon24 () comcast net>
Date: Fri, 10 Feb 2006 14:39:31 -0600
Some of the things I look for when I suspect spy ware and it isn't straight forward about its presence are network connections. Apart from how Windows is by nature the noisiest Operating System on earth on a network, you can use a connection monitor either at the host or over the wire to look for connections made to odd addresses that weren't initiated knowingly. Try pointing the browser at a location void of banner ads and see if any "other" connections are made to spy ware reporting engines as browser add-ins are the most common spy ware. Sounds like one of us with spare time should go on a warez and pr0n site clicking spree with another clean computer doing some ethereal watching. Maybe there can be some Snort signatures written for the whole world to benefit. -Terry -----Original Message----- From: Thorsten Holz [mailto:thorsten.holz () mmweg rwth-aachen de] Sent: Friday, February 10, 2006 1:18 PM Cc: pen-test () securityfocus com Subject: Re: Spyware assessment techniques Butler, Theodore wrote:
A companion question, what if you had to do this from a command line? How would it be done without the spyware tools?
My advise based on some experience with bots/adware: - Look at the running processes and identify unusual entries - Similarly, take a look at all the run keys in the registry (autostart for malware) - Look for suspicious files in C:\, C:\%windir%, C:\%windir%\system32 With this information, you can find the most obvious ones. With more stealth malware (hiding with the help of rootkits), you can look for suspicious drivers, but a good installation will hide itself so that it can't be detected from the command line.
From a network point of view, look for suspicious connections at the
gateway (netflow helps here). Identify unusual flows, use of unusual ports used for Command & Control, recurring patterns, ... Perhaps you can also use ngrep to search for suspicious network communication. Just my 0.02 cent, Thorsten -- http://honeyblog.org ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Spyware assessment techniques, (continued)
- Message not available
- Re: Spyware assessment techniques Ed Hotchkiss (Feb 11)
- Re: Spyware assessment techniques Semper Securus (Feb 11)
- Re: Spyware assessment techniques - hub? Petr . Kazil (Feb 12)
- Re: Spyware assessment techniques - hub? Packet Man (Feb 12)
- Re: Spyware assessment techniques - hub? offset (Feb 12)
- RE: Spyware assessment techniques - hub? Richard Zaluski (Feb 13)
- RE: Spyware assessment techniques - hub? Dan Tesch (Feb 13)
- Re: Spyware assessment techniques Thorsten Holz (Feb 10)
- RE: Spy ware assessment techniques Terry Vernon (Feb 10)
- RE: Spy ware assessment techniques jseitz (Feb 11)