Penetration Testing mailing list archives
Re: Spyware assessment techniques
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Fri, 10 Feb 2006 20:17:39 +0100
Butler, Theodore wrote:
A companion question, what if you had to do this from a command line? How would it be done without the spyware tools?
My advise based on some experience with bots/adware: - Look at the running processes and identify unusual entries - Similarly, take a look at all the run keys in the registry (autostart for malware) - Look for suspicious files in C:\, C:\%windir%, C:\%windir%\system32 With this information, you can find the most obvious ones. With more stealth malware (hiding with the help of rootkits), you can look for suspicious drivers, but a good installation will hide itself so that it can't be detected from the command line.
From a network point of view, look for suspicious connections at the
gateway (netflow helps here). Identify unusual flows, use of unusual ports used for Command & Control, recurring patterns, ... Perhaps you can also use ngrep to search for suspicious network communication. Just my 0.02 cent, Thorsten -- http://honeyblog.org ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Spyware assessment techniques, (continued)
- Re: Spyware assessment techniques Paul Halliday (Feb 11)
- Message not available
- Re: Spyware assessment techniques Ed Hotchkiss (Feb 11)
- Re: Spyware assessment techniques Semper Securus (Feb 11)
- Message not available
- Re: Spyware assessment techniques - hub? Petr . Kazil (Feb 12)
- Re: Spyware assessment techniques - hub? Packet Man (Feb 12)
- Re: Spyware assessment techniques - hub? offset (Feb 12)
- RE: Spyware assessment techniques - hub? Richard Zaluski (Feb 13)
- RE: Spyware assessment techniques - hub? Dan Tesch (Feb 13)
- Re: Spyware assessment techniques Paul Halliday (Feb 11)
- Re: Spyware assessment techniques Thorsten Holz (Feb 10)
- RE: Spy ware assessment techniques Terry Vernon (Feb 10)
- RE: Spy ware assessment techniques jseitz (Feb 11)