Re: Malware detection

[Vic Vandal <vvandal () well com>]

I typed up the following response to Tony's initial email, and then before sending noticed that John had already 
replied with a VERY similar message.  Here's my copied verbiage (below) for added measure.  
I'll also piggyback on something John stated that I didn't in my original text.  John said "no solution is 100% 
effective".  Agreed in full.  That's where practice with and usage of multiple tools (hopefully free ones for the most 
part) can help.  In small environments or where you have suspicions that a machine is infected you can do manual 
analysis, which may reveal brand new malware that no tool is currently picking up.  And defense-in-depth is always a 
good plan.  Anyway here's my original response:


I'm not professionally endorsing any products, but I'll state that MalwareBytes (free or Pro version) should be able to 
detect (and eradicate) those trojans, without impacting your production machines (beyond the need for a quick reboot in 
some cases to complete the cleanup job).  You can postpone the reboot (where required).

There absolutely are other products (i.e., ComboFix) that will render your production machines completely unusable 
while scanning, which is obviously what you're hoping to avoid.

Then there are network-based products which detect and report on; suspect Internet connections to/from botnet C&C 
servers, as well as the download of trojan keystroke loggers, rootkits, and etc.  Those could alert to the presence of 
such malware along with the infected production machine identification.  Again, not endorsing any products, but (if you 
have some budget and work cycles to spare) you can look at things like; FireEye, TMS (Trend), WildFire (Palo Alto), 
MetaFlows, etc, etc.


Peace,
Vic
(lifetime malware hater)


----- Original Message -----
From: "John Hebert" <jhebert () bizdps com>
To: "ricky rap28" <ricky.rap28 () gmail com>, listbounce () securityfocus com, "Tony" <xnikod () gmail com>, 
security-basics () securityfocus com
Sent: Wednesday, July 18, 2012 1:31:20 PM
Subject: RE: Malware detection


> -----Original Message-----
> From: ricky alwi [mailto:ricky.rap28 () gmail com]
> Sent: Wednesday, July 18, 2012 1:03 PM
> To: John Hebert; listbounce () securityfocus com; Tony; security-
> basics () securityfocus com
> Subject: Re: Malware detection
>
> John Hebert
>
> What if the system is using windows server 2003 R2? My office using this
> system


Keeping in mind that the "best" solution changes as technology changes, and that no solution is 100% effective(other 
than a reformat of a computer), try to find one that's consistently a top performer and doesn't have a reputation for 
slowing down the computer.  Most vendors offer free trials, and I'd highly recommend making use of those options to 
find one that works well with your business applications.  What works for one company may or may not work as well for 
another.

My recommendation would be to look at Kaspersky.  It detects not only existing malware that might be on the computer, 
but works to fight infections as/before they happen.  If you're looking for something to inspect on-demand, take a look 
at MalwareBytes.  You may be familiar with their free tool, but they have corporate licensing available as well.  

That being said, it's really only part of the equation.  The trojans do need to communicate with someone, somewhere, so 
having some sort of network traffic filtering and monitoring in place to look for odd behavior should be a to-do item.  
That way, even if one of your systems becomes infected, it's an extra check in place to notice and hopefully prevent it 
from communicating with the control server(s).  


> Thx before.
>
> Regards,
>
> Ricky
> Sent from my BlackBerry(r) via Smart 1x / EVDO Network.
> Smart.Hebat.Hemat.



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------