Full Disclosure mailing list archives
Re: List of worm and trojan files
From: GuidoZ <uberguidoz () gmail com>
Date: Tue, 28 Dec 2004 13:16:45 -0800
Assuming the attacker is competent, the only way to "clean" a deeply compromised machine is to reformat the drive and start from scratch. The truly paranoid will question whether just formatting the drive is sufficient.
This isn't necessarily the case. While it will get the system up and going again (and clean for the moment), if you don't do any root cause analysis, then the problem will likely just return. You need to do some investigating and figure out WHAT the problem is and HOW it got there. Otherwise you haven't fixed anything. This goes for any incident. Spyware/Adware/virus/trojan/worm or your fav malware... they all have to get onto the system somehow. Without knowing how and just reformatting, how have you fixed the actual issue at hand? One of the definitions of insanity: "Doing the same thing and expecting a different result". Therefore, it's certifiably insane to reload the system (to the previous state) and expect it to not be reinfected. =) -- Peace. ~G On Thu, 23 Dec 2004 23:03:39 -0600, Kevin <kkadow () gmail com> wrote:
Carilda A Thomas <cat () the-cat com> wrote:I have been looking but I cannot find a list all in one place of the various illegitimate files that various worms and trojans install into Microsoft systems.What'd really help here is a list of MD5 checks for "known bad" binaries. Obviously a custom build of sdbot or just a simple hexedit would defeat this, but such a list would still have value against automated attacks, etc.Perhaps I should clarify about this list thing: A friend of mine is apparently running a rogue email server and a rogue ftp server, and none of the virus checkers we have tried will determine what program or where. I looked for a windows equivalent to lsof but there doesn't appear to be one -Sysinternals has applications that, taken in combination, do much of what 'lsof' does under Unix. Specifically, tcpview (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will show you any listening sockets, the associated process, and the location from which the process launched. This should suffice to locate a rogue FTP service on a Windows PC. the one I found can only determine the program ifit sees a packet go by and cannot find a quiescent program. The A/V checkers do not flag an email server, considering it a legitimate program. Task manager is also destroyed, so there is no help there. I was hoping to find a list of illegitimate files for which I could check.Assuming the attacker is competent, the only way to "clean" a deeply compromised machine is to reformat the drive and start from scratch. The truly paranoid will question whether just formatting the drive is sufficient. Kevin Kadow _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- List of worm and trojan files Carilda A Thomas (Dec 22)
- Re: List of worm and trojan files Matt McCormack (Dec 22)
- <Possible follow-ups>
- Re: List of worm and trojan files Carilda A Thomas (Dec 23)
- Re: List of worm and trojan files Barrie Dempster (Dec 24)
- Re: List of worm and trojan files Kevin (Dec 24)
- Re: List of worm and trojan files GuidoZ (Dec 28)
- RE: List of worm and trojan files ALD, Aditya, Aditya Lalit Deshmukh (Dec 24)
- Re: List of worm and trojan files Sam Gentle (Dec 24)
- RE: List of worm and trojan files Todd Towles (Dec 29)