Penetration Testing mailing list archives

RE: Spy ware assessment techniques

From: jseitz () crossflux com
Date: Sat, 11 Feb 2006 11:32:52 -0800 (PST)

The other thing to be aware of if you are suspecting spyware/rootkit
activity, is to close everything on your system and for 24 hours do an
ethereal capture on your machine. With the newest covert channels that are
being used it wouldn't be surprising to see basic one-way communication
occuring (i.e. at 3:00 am when you are sleeping, your computer is sending
requests to google.com, with the source address faked, Google.com is going
to replay the response to the attackers machine). It will be obvious to
you though what is occuring.

JS

Some of the things I look for when I suspect spy ware and it isn't
straight
forward about its presence are network connections. Apart from how Windows
is by nature the noisiest Operating System on earth on a network, you can
use a connection monitor either at the host or over the wire to look for
connections made to odd addresses that weren't initiated knowingly. Try
pointing the browser at a location void of banner ads and see if any
"other"
connections are made to spy ware reporting engines as browser add-ins are
the most common spy ware.

Sounds like one of us with spare time should go on a warez and pr0n site
clicking spree with another clean computer doing some ethereal watching.
Maybe there can be some Snort signatures written for the whole world to
benefit.

-Terry


-----Original Message-----
From: Thorsten Holz [mailto:thorsten.holz () mmweg rwth-aachen de]
Sent: Friday, February 10, 2006 1:18 PM
Cc: pen-test () securityfocus com
Subject: Re: Spyware assessment techniques

Butler, Theodore wrote:

A companion question,  what if you had to do this from a command line?
How would it be done without the spyware tools?


My advise based on some experience with bots/adware:

- Look at the running processes and identify unusual entries
- Similarly, take a look at all the run keys in the registry (autostart
for malware)
- Look for suspicious files in C:\, C:\%windir%, C:\%windir%\system32

With this information, you can find the most obvious ones. With more
stealth malware (hiding with the help of rootkits), you can look for
suspicious drivers, but a good installation will hide itself so that it
can't be detected from the command line.

From a network point of view, look for suspicious connections at the
gateway (netflow helps here). Identify unusual flows, use of unusual
ports used for Command & Control, recurring patterns, ... Perhaps you
can also use ngrep to search for suspicious network communication.

Just my 0.02 cent,
  Thorsten

--
http://honeyblog.org


----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are

futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers
do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Re: Spyware assessment techniques, (continued)
- - - Re: Spyware assessment techniques Semper Securus (Feb 11)
  - Re: Spyware assessment techniques - hub? Petr . Kazil (Feb 12)
    - Re: Spyware assessment techniques - hub? Packet Man (Feb 12)
    - Re: Spyware assessment techniques - hub? offset (Feb 12)
    - RE: Spyware assessment techniques - hub? Richard Zaluski (Feb 13)
    - RE: Spyware assessment techniques - hub? Dan Tesch (Feb 13)
- RE: Spyware assessment techniques Paul Melson (Feb 13)
- RE: Spyware assessment techniques Butler, Theodore (Feb 10)
  - Re: Spyware assessment techniques Thorsten Holz (Feb 10)
    - RE: Spy ware assessment techniques Terry Vernon (Feb 10)
    - RE: Spy ware assessment techniques jseitz (Feb 11)
- RE: Spyware assessment techniques Cory . Bys (Feb 15)