Penetration Testing mailing list archives
RE: Spy ware assessment techniques
From: jseitz () crossflux com
Date: Sat, 11 Feb 2006 11:32:52 -0800 (PST)
The other thing to be aware of if you are suspecting spyware/rootkit activity, is to close everything on your system and for 24 hours do an ethereal capture on your machine. With the newest covert channels that are being used it wouldn't be surprising to see basic one-way communication occuring (i.e. at 3:00 am when you are sleeping, your computer is sending requests to google.com, with the source address faked, Google.com is going to replay the response to the attackers machine). It will be obvious to you though what is occuring. JS
Some of the things I look for when I suspect spy ware and it isn't straight forward about its presence are network connections. Apart from how Windows is by nature the noisiest Operating System on earth on a network, you can use a connection monitor either at the host or over the wire to look for connections made to odd addresses that weren't initiated knowingly. Try pointing the browser at a location void of banner ads and see if any "other" connections are made to spy ware reporting engines as browser add-ins are the most common spy ware. Sounds like one of us with spare time should go on a warez and pr0n site clicking spree with another clean computer doing some ethereal watching. Maybe there can be some Snort signatures written for the whole world to benefit. -Terry -----Original Message----- From: Thorsten Holz [mailto:thorsten.holz () mmweg rwth-aachen de] Sent: Friday, February 10, 2006 1:18 PM Cc: pen-test () securityfocus com Subject: Re: Spyware assessment techniques Butler, Theodore wrote:A companion question, what if you had to do this from a command line? How would it be done without the spyware tools?My advise based on some experience with bots/adware: - Look at the running processes and identify unusual entries - Similarly, take a look at all the run keys in the registry (autostart for malware) - Look for suspicious files in C:\, C:\%windir%, C:\%windir%\system32 With this information, you can find the most obvious ones. With more stealth malware (hiding with the help of rootkits), you can look for suspicious drivers, but a good installation will hide itself so that it can't be detected from the command line. From a network point of view, look for suspicious connections at the gateway (netflow helps here). Identify unusual flows, use of unusual ports used for Command & Control, recurring patterns, ... Perhaps you can also use ngrep to search for suspicious network communication. Just my 0.02 cent, Thorsten -- http://honeyblog.org ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Spyware assessment techniques, (continued)
- Re: Spyware assessment techniques Semper Securus (Feb 11)
- Re: Spyware assessment techniques - hub? Petr . Kazil (Feb 12)
- Re: Spyware assessment techniques - hub? Packet Man (Feb 12)
- Re: Spyware assessment techniques - hub? offset (Feb 12)
- RE: Spyware assessment techniques - hub? Richard Zaluski (Feb 13)
- RE: Spyware assessment techniques - hub? Dan Tesch (Feb 13)
- RE: Spyware assessment techniques Paul Melson (Feb 13)
- RE: Spyware assessment techniques Butler, Theodore (Feb 10)
- Re: Spyware assessment techniques Thorsten Holz (Feb 10)
- RE: Spy ware assessment techniques Terry Vernon (Feb 10)
- RE: Spy ware assessment techniques jseitz (Feb 11)
- Re: Spyware assessment techniques Thorsten Holz (Feb 10)