Spyware, trojans and keyboard loggers?

[James Moore <jhmfa () RIT EDU>]

We are creating a "desktop security standard" and want to include
protection against spyware and keystroke loggers.  I am trying to get
good coverage.  I had anticipated that the big A/V vendors would have
swallowed up anti - spyware/backdoors/keyloggers by now.  But it seems
that they haven't.  In fact some are producing their own anti-spyware --
e.g. NAI/McAfee.  Some vendors, like SpyCop claim that most "keystroke
logger" protection doesn't cover 1) the commercial/shareware keyloggers
and 2) nearly as many as they do.

I am looking to get to the bottom line, which is coverage, in
conjunction with clarity (i.e. it doesn't come with a 368 page manual
that users are expected to read.  It also doesn't come with simple 2
step instructions, the first of which is "get a MS in computer science).

Any advice? Sample desktop security standards?

Thinking ahead to server security ... Any advice? Sample server security
standards? 

Thanks,

- - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Office: 585-475-5406
Lab: 585-475-4122
Fax: 585-475-7950 

"In the middle of difficulty lies opportunity." Albert Einstein

"The release of new internet threats have not created a new problem. It
has merely made more urgent the necessity of solving an existing one."
Parallels quote by Albert Einstein on atomic energy

> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jordan Wiens
> Sent: Wednesday, July 21, 2004 2:49 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] keyboard logger?
>
> On Wed, 21 Jul 2004, Mark Wilson wrote:
>
> > Has anyone heard of a keyboard logger keykb.exe (167kb) ?  A 
> > compliment program may be named bkyek.ni (211 kb).  Any 
> information on 
> > this is appreciated.  I am not that experienced in 
> evaluating malware 
> > so any other tips on obtaining information about malware may help.
>
> The keykb.exe is detected as the following:
>
> Clamscan:       Trojan.Spy.Agent.P
> F-secure:       TrojanSpy.Win32.Agent.p [AVP]
>                 (f-secure just uses kav to detect it in this case)
> Dr. Web:        Trojan.Virtumod
> Kaspersky:      TrojanSpy.Win32.Agent.p
> RAV:            TrojanSpy/Win32.Agent.P
>
> You can try searching for more info from those AV vendor sites.
>
> It's UPX packed (thanks Kaspersky).  Here's some selected 
> strings for fun:
>
> http://203.199.200.61/
> :AttachThreadInput
> POST
> HTTP/1.1
> g_PopupPerDay
> g_ServerIPs
> g_Upgrade
> c:\Projects\GatorClone\GatorClone\Release\GatorClone.pdb
> Copyright (c) 1992-2001 by P.J. Plauger, licensed by 
> Dinkumware, Ltd. ALL RIGHTS RESERVED.
> c:\Projects\GatorClone\KillHook\Release\KillHook.pdb
>
> The other ini file is either encrypted or compressed, doesn't 
> contain any strings, or some combination of those, and 
> doesn't have a format I can guess at by glancing through it.
>
>
> Quick and Dirty General Malware Analysis Tutorial:
> --------------------------------------------------
> For easy and effective malware analysis, get a copy of vmware 
> (30 day free versions available, but it's well worth the cost 
> if you can get your university to buy a copy) and load it up with:
> http://www.sysinternals.com/ntw2k/source/filemon.shtml
> http://www.sysinternals.com/ntw2k/freeware/pmon.shtml
> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
> http://www.sysinternals.com/ntw2k/source/regmon.shtml
>
> Along with a good sniffer (ethereal is hard to beat:
> http://www.ethereal.com/) and depending on your level of 
> guts, run it in the vmware environment with the network off 
> or on and monitor what it does.
>
> Make sure to save a snapshot of your vmware image after 
> you've set it up before infection so you can reset it to a 
> clean state immediately afterwards.
>
> On the linux side of things, there are a number of anti-virus 
> programs you can purchase and get for free that you can 
> script together to scan malware automatically.  That and the 
> file and strings command are essential as well (for windows 
> equivalents try:
> http://www.sysinternals.com/ntw2k/source/misc.shtml#strings
> http://gnuwin32.sourceforge.net)
>
> Windows users could try the same assuming they were able to 
> get the command-line scanners of the anti-virus softwares 
> installed and scripted together as well.  Alternatively, 
> check out virustotal which does most of the hard work for 
> you: http://www.virustotal.com.  One of the few downsides to 
> virustotal is they don't report of the packing information 
> that (for example) Dr. Webb and Kaspersky report which can be 
> essential to unpacking and examining malware.
>
> For those who really want to dig deep, get a good 
> disassembler/debugger in your vmware image as well.  I'd 
> highly recommend Ollydbg (though there was a recent exploit 
> announced in it, but that's why we're running it in our 
> vmware image anyway, right?  We're already planning on 
> running malware, so that shouldn't be that much of a problem 
> other than the fact that Ollydbg can't debug code 
> specifically built to exploit it):
> http://home.t-online.de/home/Ollydbg/ though many people like 
> the commercial products SoftIce and IDA Pro.
>
> --
> Jordan Wiens, CISSP
> UF Network Security Engineer
> (352)392-2061
>
> **********
> Participation and subscription information for this EDUCAUSE 
> Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.