Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: List of worm and trojan files
From: GuidoZ <uberguidoz () gmail com>
Date: Tue, 28 Dec 2004 13:16:45 -0800

Assuming the attacker is competent, the only way to "clean" a deeply
compromised machine is to reformat the drive and start from scratch.
The truly paranoid will question whether just formatting the drive is
sufficient.

This isn't necessarily the case. While it will get the system up and
going again (and clean for the moment), if you don't do any root cause
analysis, then the problem will likely just return. You need to do
some investigating and figure out WHAT the problem is and HOW it got
there. Otherwise you haven't fixed anything.

This goes for any incident. Spyware/Adware/virus/trojan/worm or your
fav malware... they all have to get onto the system somehow. Without
knowing how and just reformatting, how have you fixed the actual issue
at hand?

One of the definitions of insanity: "Doing the same thing and
expecting a different result". Therefore, it's certifiably insane to
reload the system (to the previous state) and expect it to not be
reinfected. =)

--
Peace. ~G


On Thu, 23 Dec 2004 23:03:39 -0600, Kevin <kkadow () gmail com> wrote:
Carilda A Thomas <cat () the-cat com> wrote:
I have been looking but I cannot find a list all in one
place of the various illegitimate files that various worms
and trojans install into Microsoft systems.

What'd really help here is a list of MD5 checks for "known bad"
binaries.  Obviously a custom build of sdbot or just a simple hexedit
would defeat this, but such a list would still have value against
automated attacks, etc.

Perhaps I should clarify about this list thing:  A friend
of mine is apparently running a rogue email server and a
rogue ftp server, and none of the virus checkers we have
tried will determine what program or where.  I looked for
a windows equivalent to lsof but there doesn't appear to
be one -

Sysinternals has applications that, taken in combination, do much of
what 'lsof' does under Unix.

Specifically, tcpview
(http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will show you
any listening sockets, the associated process, and the location from
which the process launched.  This should suffice to locate a rogue FTP
service on a Windows PC.

the one I found can only determine the program if
it sees a packet go by and cannot find a quiescent
program.  The A/V checkers do not flag an email server,
considering it a legitimate program.  Task manager is also
destroyed, so there is no help there.  I was hoping to
find a list of illegitimate files for which I could check.

Assuming the attacker is competent, the only way to "clean" a deeply
compromised machine is to reformat the drive and start from scratch.
The truly paranoid will question whether just formatting the drive is
sufficient.

Kevin Kadow
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]