RE: List of worm and trojan files

["Todd Towles" <toddtowles () brookshires com>]

GuidoZ is correct. I have seen companies ship new PCs out to customers
because of very bad infections and spyware...but of course they don't
patch them with anything. (Not even the LSASS holes)...so in two weeks
you have the same mess. 

I look at it and see Sasser, SD-Bot and I know want you have to do to
stop it. A huge corporation can't do the same?

> -----Original Message-----
> From: full-disclosure-bounces () lists netsys com 
> [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of GuidoZ
> Sent: Tuesday, December 28, 2004 3:17 PM
> To: Kevin
> Cc: Carilda A Thomas; full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] List of worm and trojan files
>
> > Assuming the attacker is competent, the only way to "clean" 
> a deeply 
> > compromised machine is to reformat the drive and start from scratch.
> > The truly paranoid will question whether just formatting 
> the drive is 
> > sufficient.
>
> This isn't necessarily the case. While it will get the system 
> up and going again (and clean for the moment), if you don't 
> do any root cause analysis, then the problem will likely just 
> return. You need to do some investigating and figure out WHAT 
> the problem is and HOW it got there. Otherwise you haven't 
> fixed anything.
>
> This goes for any incident. Spyware/Adware/virus/trojan/worm 
> or your fav malware... they all have to get onto the system 
> somehow. Without knowing how and just reformatting, how have 
> you fixed the actual issue at hand?
>
> One of the definitions of insanity: "Doing the same thing and 
> expecting a different result". Therefore, it's certifiably 
> insane to reload the system (to the previous state) and 
> expect it to not be reinfected. =)
>
> --
> Peace. ~G
>
>
> On Thu, 23 Dec 2004 23:03:39 -0600, Kevin <kkadow () gmail com> wrote:
> > Carilda A Thomas <cat () the-cat com> wrote:
> > > I have been looking but I cannot find a list all in one 
> place of the 
> > > various illegitimate files that various worms and trojans install 
> > > into Microsoft systems.
> >
> > What'd really help here is a list of MD5 checks for "known bad"
> > binaries.  Obviously a custom build of sdbot or just a 
> simple hexedit 
> > would defeat this, but such a list would still have value against 
> > automated attacks, etc.
> >
> > > Perhaps I should clarify about this list thing:  A friend 
> of mine is 
> > > apparently running a rogue email server and a rogue ftp 
> server, and 
> > > none of the virus checkers we have tried will determine 
> what program 
> > > or where.  I looked for a windows equivalent to lsof but there 
> > > doesn't appear to be one -
> >
> > Sysinternals has applications that, taken in combination, 
> do much of 
> > what 'lsof' does under Unix.
> >
> > Specifically, tcpview
> > (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) 
> will show you 
> > any listening sockets, the associated process, and the 
> location from 
> > which the process launched.  This should suffice to locate 
> a rogue FTP 
> > service on a Windows PC.
> >
> > the one I found can only determine the program if
> > > it sees a packet go by and cannot find a quiescent 
> program.  The A/V 
> > > checkers do not flag an email server, considering it a legitimate 
> > > program.  Task manager is also destroyed, so there is no 
> help there.  
> > > I was hoping to find a list of illegitimate files for 
> which I could 
> > > check.
> >
> > Assuming the attacker is competent, the only way to "clean" 
> a deeply 
> > compromised machine is to reformat the drive and start from scratch.
> > The truly paranoid will question whether just formatting 
> the drive is 
> > sufficient.
> >
> > Kevin Kadow
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html