Re: Spyware assessment techniques

[Paul Halliday <paul.halliday () gmail com>]

Hi,
> loading free
> antispyware tools, scanning the host,  individually recording the
> results, classifying the types of spyware encountered and reporting
> the results.

Unfortunately the majority of these miss an astounding amount of
Malware. The easiest way to track down spyware and adware is to watch
the machine as it browses the web. Most products happily announce
themselves and the information they are contributing within their
useragent details as they chat with webservers.

Cheap and easy -

If you are doing an organization:
- get yourself on a span port on an upper level switch

- make a quick snort install (http://www.snort.org) with the bleeding
malware and virus rulesets (http://www.bleedingsnort.com ).There might
be some helpful VRT rules too.

- listen away.

If you are doing a host:
- interrupt the hosts uplink with a hub and plug your snort box in.

You could have this all setup on a laptop.

If you have snort logging to a database with something like sguil
(http://sguil.sourceforge.net) you could probably throw some perl/php
together to generate some nice reports.

Hope this helps.

On 2/10/06, Derek Nash <ddnash () gmail com> wrote:
> I am now frequently getting requests for spyware/grayware/adware
> assessments as subcomponent of a larger security assessment. My
> efforts up to this point have been a manual process of loading free
> antispyware tools, scanning the host,  individually recording the
> results, classifying the types of spyware encountered and reporting
> the results.
>
> Recently I have begun to consider including data from a web usage
> analysis tool that has the ability to identify spyware downloads and
> phone home attempts to augment these manual efforts. I am wondering
> what others are doing in regards to spyware assessments and if anyone
> is aware a spyware "network scanner" that would allow me to look at a
> larger sampling of hosts on a network during these assessments.
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------