Security Basics mailing list archives
Re: Windows Bot/Trojan/Backdoor scanner
From: Markus Rossi <securityfocus () familyrossi com>
Date: Sun, 14 Sep 2003 13:45:29 +0300
Hi,I'd suggest logging activity on your router/firewall or running an IDS to identify IRC or any other unauthorised network usage. That way you don't have to stay on top of the latest malware developments, just identify "normal" network activity and block & log everything else.
Another approach is a distributed firewall (running on every workstation) such as Symantec/Norton which you can configure from a central console. Just like ZoneAlarm it should ask for permission to allow any new software to access the network. This will effectively block both backdoors and (if somehow they manage to install them) IRCbots and such.
Portscanners are used for finding out what services are running on the network. This includes backdoors/trojans. My favourite is superscan, which includes lists of known trojans. You can also add your own entries.
Regards, MR Andrew Hecox wrote:
greetings!... as the subject implies, I'm looking for something to scan for backdoor software on the Windows platform. For example, if a system hasbeen compromised by a worm such as msblast or bugbear which installs a backdoor, I'd like to be able to scan the system to see if anyone has taken advantage of *that* backdoor to install another piece of malicious software like an IRC bot. The primary complication is that software would only be used in situations where it was scanning machines AFTER they had been infected some other virus. No software (like tripwire, etc) can be installed before the infection. First question- obviously there is lots of software that will search for trojans but is there any which will be cutting edge enough to catch the vast majority of the latest and greatest remote control malware? Second question- if so, is any of it substantially better the regular antivirus software? Finally- given the problem of trying to detect whether a random system in the wild has faced additional compromises (in a cost-effective manner), is there a better solution to the problem? The current *best* solution is to re-format the system (better safe the sorry) but that situation may be getting untenable given limited resources. SwatIt came to mind but I don't have any meaningful evidence relating to its effectiveness. any ideas, comments, or suggestions are greatly appreciated. -cheers! -Andrew ---------------------------------------------------------------------------Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm----------------------------------------------------------------------------
---------------------------------------------------------------------------Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
Current thread:
- Windows Bot/Trojan/Backdoor scanner Andrew Hecox (Sep 12)
- Re: Windows Bot/Trojan/Backdoor scanner Markus Rossi (Sep 15)
- Re: Windows Bot/Trojan/Backdoor scanner Andrew Hecox (Sep 15)
- <Possible follow-ups>
- Re: Windows Bot/Trojan/Backdoor scanner H Carvey (Sep 15)
- Re: Windows Bot/Trojan/Backdoor scanner Markus Rossi (Sep 15)