Re: Windows Bot/Trojan/Backdoor scanner

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <Pine.GSO.4.21.0309112351270.15963-100000 () harper uchicago edu>


> ... as the subject implies, I'm looking for something to scan for 
> backdoor software on the Windows platform. For example, if a system has
> been compromised by a worm such as msblast or bugbear which installs a
> backdoor, I'd like to be able to scan the system to see if anyone has
> taken advantage of *that* backdoor to install another piece of malicious
> software like an IRC bot.

Part of what you're interested in is held within memory, meaning that it's volatile data...data that disappears when 
the system is shut down.  Scanning may mean actually going to the system (or running commands remotely) to retrieve the 
necessary information.

> The primary complication is that software would only be used in situations
> where it was scanning machines AFTER they had been infected some other
> virus. No software (like tripwire, etc) can be installed before the
> infection.

This is true to a point.  Tripwire (and software like it) doesn't do you much good if you don't have a baseline scan to 
compare things against.

You're also correct about the issue of scanning after the machine has been compromised...this is just how it works.  
The issue is that admins need to do a much better job of configuring systems to prevent intrusions, or to detect those 
incidents that can't be prevented.  The act of configuring their systems has the added benefit that the admin will have 
a much better idea of what the system should look like.

> First question- obviously there is lots of software that will search for
> trojans but is there any which will be cutting edge enough to catch the
> vast majority of the latest and greatest remote control malware?

You're approaching the situation from the wrong angle.  Rather than looking for a software package with a huge database 
that will do a good job of detecting the known issues, why not put together your own toolkit for pulling and analyzing 
information from a system?  Since you're familiar w/ the systems themselves, you'd be a much better resource for 
determining what is unusual or suspicious on a system, rather than a piece of software written by someone you never met.

> Second question- if so, is any of it substantially better the regular
> antivirus software?

Anti-virus software doesn't detect everything.  IRC bots like russiantopz, GTBot and PowerBot use mirc32.exe as their 
base, so they aren't detected.  

> Finally- given the problem of trying to detect whether a random system
> in the wild has faced additional compromises (in a cost-effective manner),
> is there a better solution to the problem? The current *best* solution is
> to re-format the system (better safe the sorry) but that situation may be
> getting untenable given limited resources.

Not only that, but what does reformatting get you?  If you make no effort to discover what the root cause of the 
compromise is, then you are simply creating more work for yourself.  The machine is going to be compromised again, 
that's all there is to it...UNLESS you shut the door.  A good deal of the compromises are automatic...worms and scripts 
are capable of doing the necessary work.  

> any ideas, comments, or suggestions are greatly appreciated.

I'm working on a book right now that addresses this issue, specifically on Windows machines.  One of the things I'm 
working on is a forensics server that not only eases the collection of data, but also performs some necessary 
correlation and analysis on the data that has been collected.

HTH,

Harlan

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------