Security Basics mailing list archives

RE: Spyware

From: "Paris E. Stone" <pstone () alhurra com>
Date: Fri, 17 Dec 2004 08:15:47 -0500

That is correct, the best way too.

But, most spyware uses the outbound HTTP & HTTPS ports.  

Why?  
Because almost every firewall in the world allows that out.  

Why?
Because those are the ports we browse the web on.

Spyware authors are pretty smart.  I just found some spyware that set a
system restore point on a XP box, and whenever it's files got removed,
and registry keys got deleted, it system restored it's self right back!


~~~~~
Paris E. Stone, "Linux Zealot"
CISSP, CCNP, CNE, MCSE, CIW Master Administrator
~~~~~
"Not all who wander are lost."
J.R.R.T.
-----Original Message-----
From: dallas jordan [mailto:dallas.jordan () gmail com] 
Sent: Wednesday, December 15, 2004 2:09 PM
To: Matt Stern
Cc: security-basics () lists securityfocus com
Subject: Re: Spyware

I believe as a general rule, all traffic should be denied unless
explicitly permitted.  this includes incoming as well as outgoing
traffic.  You should start off with a "deny all" rule and then only
allow specific traffic through your firewall.  This way, there is less
chance you may miss something.  HTH.



On Tue, 14 Dec 2004 17:37:48 -0500, Matt Stern
<sternm () comprehensive com> wrote:

Hello all:

I was just wondering if spyware sends its answers "back home" on any
particular TCP or UDP port.  If so, then couldn't I doubly safeguard

the

LAN (after trying to keep all the spyware off the workstations) by
disallowing outbound communications via the firewall, for those ports?
Or conversely, instead of allowing all outbound traffic, only allow

the

usual ports, such as 80, 443, 23, etc?

Thanks.

--
Matthew H. Stern, CCP/CDP, sternm () comprehensive com
Serving the IT industry since 1976
Comprehensive Computer Services Inc.
www.comprehensive.com
Phone: 631 755-2250, Fax 755-2254
560 Broad Hollow Road, Melville NY 11747



-- 
Dallas Jordan CCNA, Security+
Ernst & Young LLP
Security & Technology Solutions (STS)
Office:   404-817-5940
Mobile:  843-991-0271
EY/Comm:   7455673
E-mail:  Dallas.Jordan () ey com

Current thread:

Spyware Matt Stern (Dec 15)
- Re: Spyware dallas jordan (Dec 16)
- Re: Spyware Liran Cohen (Dec 16)
- Re: Spyware Jon Lawhead (Dec 16)
- <Possible follow-ups>
- RE: Spyware Gross Barry D. (Dec 16)
- RE: Spyware Jeff Gercken (Dec 16)
- RE: Spyware Griffin, Van (Dec 16)
- RE: Spyware Friend, Jason A Contractor/CoTs (Dec 16)
- RE: Spyware geraldf (Dec 16)
- RE: Spyware Paris E. Stone (Dec 17)