Security Basics mailing list archives
Re: Windows Bot/Trojan/Backdoor scanner
From: H Carvey <keydet89 () yahoo com>
Date: 14 Sep 2003 16:50:02 -0000
In-Reply-To: <Pine.GSO.4.21.0309112351270.15963-100000 () harper uchicago edu>
... as the subject implies, I'm looking for something to scan for backdoor software on the Windows platform. For example, if a system has been compromised by a worm such as msblast or bugbear which installs a backdoor, I'd like to be able to scan the system to see if anyone has taken advantage of *that* backdoor to install another piece of malicious software like an IRC bot.
Part of what you're interested in is held within memory, meaning that it's volatile data...data that disappears when the system is shut down. Scanning may mean actually going to the system (or running commands remotely) to retrieve the necessary information.
The primary complication is that software would only be used in situations where it was scanning machines AFTER they had been infected some other virus. No software (like tripwire, etc) can be installed before the infection.
This is true to a point. Tripwire (and software like it) doesn't do you much good if you don't have a baseline scan to compare things against. You're also correct about the issue of scanning after the machine has been compromised...this is just how it works. The issue is that admins need to do a much better job of configuring systems to prevent intrusions, or to detect those incidents that can't be prevented. The act of configuring their systems has the added benefit that the admin will have a much better idea of what the system should look like.
First question- obviously there is lots of software that will search for trojans but is there any which will be cutting edge enough to catch the vast majority of the latest and greatest remote control malware?
You're approaching the situation from the wrong angle. Rather than looking for a software package with a huge database that will do a good job of detecting the known issues, why not put together your own toolkit for pulling and analyzing information from a system? Since you're familiar w/ the systems themselves, you'd be a much better resource for determining what is unusual or suspicious on a system, rather than a piece of software written by someone you never met.
Second question- if so, is any of it substantially better the regular antivirus software?
Anti-virus software doesn't detect everything. IRC bots like russiantopz, GTBot and PowerBot use mirc32.exe as their base, so they aren't detected.
Finally- given the problem of trying to detect whether a random system in the wild has faced additional compromises (in a cost-effective manner), is there a better solution to the problem? The current *best* solution is to re-format the system (better safe the sorry) but that situation may be getting untenable given limited resources.
Not only that, but what does reformatting get you? If you make no effort to discover what the root cause of the compromise is, then you are simply creating more work for yourself. The machine is going to be compromised again, that's all there is to it...UNLESS you shut the door. A good deal of the compromises are automatic...worms and scripts are capable of doing the necessary work.
any ideas, comments, or suggestions are greatly appreciated.
I'm working on a book right now that addresses this issue, specifically on Windows machines. One of the things I'm working on is a forensics server that not only eases the collection of data, but also performs some necessary correlation and analysis on the data that has been collected. HTH, Harlan --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Windows Bot/Trojan/Backdoor scanner Andrew Hecox (Sep 12)
- Re: Windows Bot/Trojan/Backdoor scanner Markus Rossi (Sep 15)
- Re: Windows Bot/Trojan/Backdoor scanner Andrew Hecox (Sep 15)
- <Possible follow-ups>
- Re: Windows Bot/Trojan/Backdoor scanner H Carvey (Sep 15)
- Re: Windows Bot/Trojan/Backdoor scanner Markus Rossi (Sep 15)