Re: List of worm and trojan files

[GuidoZ <uberguidoz () gmail com>]

> Assuming the attacker is competent, the only way to "clean" a deeply
> compromised machine is to reformat the drive and start from scratch.
> The truly paranoid will question whether just formatting the drive is
> sufficient.

This isn't necessarily the case. While it will get the system up and
going again (and clean for the moment), if you don't do any root cause
analysis, then the problem will likely just return. You need to do
some investigating and figure out WHAT the problem is and HOW it got
there. Otherwise you haven't fixed anything.

This goes for any incident. Spyware/Adware/virus/trojan/worm or your
fav malware... they all have to get onto the system somehow. Without
knowing how and just reformatting, how have you fixed the actual issue
at hand?

One of the definitions of insanity: "Doing the same thing and
expecting a different result". Therefore, it's certifiably insane to
reload the system (to the previous state) and expect it to not be
reinfected. =)

--
Peace. ~G


On Thu, 23 Dec 2004 23:03:39 -0600, Kevin <kkadow () gmail com> wrote:
> Carilda A Thomas <cat () the-cat com> wrote:
> > I have been looking but I cannot find a list all in one
> > place of the various illegitimate files that various worms
> > and trojans install into Microsoft systems.
>
> What'd really help here is a list of MD5 checks for "known bad"
> binaries.  Obviously a custom build of sdbot or just a simple hexedit
> would defeat this, but such a list would still have value against
> automated attacks, etc.
>
> > Perhaps I should clarify about this list thing:  A friend
> > of mine is apparently running a rogue email server and a
> > rogue ftp server, and none of the virus checkers we have
> > tried will determine what program or where.  I looked for
> > a windows equivalent to lsof but there doesn't appear to
> > be one -
>
> Sysinternals has applications that, taken in combination, do much of
> what 'lsof' does under Unix.
>
> Specifically, tcpview
> (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will show you
> any listening sockets, the associated process, and the location from
> which the process launched.  This should suffice to locate a rogue FTP
> service on a Windows PC.
>
> the one I found can only determine the program if
> > it sees a packet go by and cannot find a quiescent
> > program.  The A/V checkers do not flag an email server,
> > considering it a legitimate program.  Task manager is also
> > destroyed, so there is no help there.  I was hoping to
> > find a list of illegitimate files for which I could check.
>
> Assuming the attacker is competent, the only way to "clean" a deeply
> compromised machine is to reformat the drive and start from scratch.
> The truly paranoid will question whether just formatting the drive is
> sufficient.
>
> Kevin Kadow
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html