Penetration Testing mailing list archives
Re: Spyware assessment techniques
From: Packet Man <packetman () altsec info>
Date: Fri, 10 Feb 2006 14:57:01 -0600
Derek Nash wrote:
Recently I have begun to consider including data from a web usage analysis tool that has the ability to identify spyware downloads and phone home attempts to augment these manual efforts. I am wondering what others are doing in regards to spyware assessments and if anyone is aware a spyware "network scanner" that would allow me to look at a larger sampling of hosts on a network during these assessments.
My last intensive research into this seemed to indicate that Sunbelt Software's "Counterspy", and I found it quite effective in installations at my former day job. Here's a comparison review: http://www.consumersearch.com/www/software/anti-spyware-reviews/index.html Overall though, I think that "true" detection of any unauthorized software boils down to three things: 1. Intensive audit of the system(s) (HIDS) 2. Network monitoring (NIDS, Sniffing) 3. Audit logs of the systems themselves While use of products such as Counterspy are invaluable in protection of hosts, they are inherently "reactionary" and rely on detection techniques that are always going to be a jump behind the leading edge attackers. Therefore, I rely on a HIDS such as Osiris to do frequent sweeps of the hosts critical files. Then, I install a central logging client such as "Snare" on the Windows hosts, and have ALL systems in the network log to a tightly secured, central logging host. Those logs are frequently scanned and analyzed. Further, I use snort and firewall logs to keep track of who is connecting to whom on what port. Those logs are frequently correlated and analyzed as well. One thing that helps much is to force browsing through a proxy, such as Squid or its commercial equivalents. I hope this helps. -- Excellence in InfoSec and Linux http://www.altsec.info ------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Spyware assessment techniques Derek Nash (Feb 10)
- Message not available
- Re: Spyware assessment techniques Eric Schultze (Feb 10)
- Message not available
- Re: Spyware assessment techniques Packet Man (Feb 11)
- Re: Spyware assessment techniques Paul Halliday (Feb 11)
- Message not available
- Re: Spyware assessment techniques Ed Hotchkiss (Feb 11)
- Re: Spyware assessment techniques Semper Securus (Feb 11)
- Message not available
- Re: Spyware assessment techniques - hub? Petr . Kazil (Feb 12)
- Re: Spyware assessment techniques - hub? Packet Man (Feb 12)
- Re: Spyware assessment techniques - hub? offset (Feb 12)
- RE: Spyware assessment techniques - hub? Richard Zaluski (Feb 13)
- RE: Spyware assessment techniques - hub? Dan Tesch (Feb 13)
- <Possible follow-ups>
- RE: Spyware assessment techniques Butler, Theodore (Feb 10)