RE: Best way to look for Worms/Malware

["Sachin Chadha" <sachin.chadha () aksitservices co in>]

Well I am  writing paper on it.. just to give you are brief :


Look for suspicious files in local drives ( C, D, E etc)
Look for suspicious files in Windows, system 32 and in Temp Directory (if
you find any try to Google)
Run TCPView and process explorer and try to find malware
Check autorun (msconfig, msinfo32)
If the malware is known, you can find the location in the registry
Check DNS entry ( ipconfig /displaydns), usually Trojans they will try  to
make remote connection
Close all you applications and run wireshark to see what is going out from
you card
Go to command prompt and check for hidden files in local drive (dir /ah),
also try attrib command
Can also try Procmon from sysinternal, really very effective tool to find a
malware

Regards
Sachin Chadha
Information Security Consultant


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Henri Salo
Sent: Tuesday, September 14, 2010 12:59 AM
To: Todd Haverkos
Cc: dhamm () cinci rr com; security-basics () securityfocus com
Subject: Re: Best way to look for Worms/Malware

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 11 Sep 2010 10:34:51 -0500
Todd Haverkos <infosec () haverkos com> wrote:

> Henri Salo <henri () nerv fi> writes:
>
> > On Mon, 8 Feb 2010 11:52:34 -0700
> > dhamm () cinci rr com wrote:
> >
> > > While this might be a question for the IDS mailing list, I think it
> > > is a good Security Basics question too, as I am sure many of us
> > > getting into Security will have a similar question. I have a client
> > > that wants to get an idea whether or not there is anything roaming
> > > on the background on the network. He is running on an older non
> > > managed switch network, and wants to know what would be a good way
> > > to set up some kind of detector, besides having patching and anti
> > > virus. So my question is, should he setup an IDS of some kind,
> > > preferably something that can be setup quickly, with the
> > > understanding that he wants to setup a more permanent IDS solution
> > > in the near future. Or should he do some sort of IDS/Honeypot
> > > combination?  Any suggestions would be appreciated. 
> > >
> > > Thanks,
> > > David Hamm
> >
> > My sugestions: nmap, snort and nepenthes
> >
> > http://nmap.org/
> > http://www.snort.org/
> > http://nepenthes.carnivore.it/
>
> Snort is a very good suggestion.  He'll need to get all network
> traffic to it, however, so his existing switch may not have a span
> port. 

One can also configure IDS/IPS using pass-trough network-card or just
configure it to be middle of the traffic as bridge.

Best regards,
Henri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkyOe3gACgkQXf6hBi6kbk+2+gCfSDV5M5mHiHpFRkHE/q3HAHfE
huoAnR5lNFLkuN7FHrLwRoYElynfRXZe
=nbh3
-----END PGP SIGNATURE-----


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------