Carilda A Thomas <cat () the-cat com> wrote:
I have been looking but I cannot find a list all in one
place of the various illegitimate files that various worms
and trojans install into Microsoft systems.
What'd really help here is a list of MD5 checks for "known bad"
binaries. Obviously a custom build of sdbot or just a simple hexedit
would defeat this, but such a list would still have value against
automated attacks, etc.
Perhaps I should clarify about this list thing: A friend
of mine is apparently running a rogue email server and a
rogue ftp server, and none of the virus checkers we have
tried will determine what program or where. I looked for
a windows equivalent to lsof but there doesn't appear to
be one -
Sysinternals has applications that, taken in combination, do much of
what 'lsof' does under Unix.
(http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will show you
any listening sockets, the associated process, and the location from
which the process launched. This should suffice to locate a rogue FTP
service on a Windows PC.
the one I found can only determine the program if
it sees a packet go by and cannot find a quiescent
program. The A/V checkers do not flag an email server,
considering it a legitimate program. Task manager is also
destroyed, so there is no help there. I was hoping to
find a list of illegitimate files for which I could check.
Assuming the attacker is competent, the only way to "clean" a deeply
compromised machine is to reformat the drive and start from scratch.
The truly paranoid will question whether just formatting the drive is
Full-Disclosure - We believe in it.