Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: List of worm and trojan files
From: "Todd Towles" <toddtowles () brookshires com>
Date: Wed, 29 Dec 2004 08:38:44 -0600

GuidoZ is correct. I have seen companies ship new PCs out to customers
because of very bad infections and spyware...but of course they don't
patch them with anything. (Not even the LSASS holes)...so in two weeks
you have the same mess. 

I look at it and see Sasser, SD-Bot and I know want you have to do to
stop it. A huge corporation can't do the same?

-----Original Message-----
From: full-disclosure-bounces () lists netsys com 
[mailto:full-disclosure-bounces () lists netsys com] On Behalf Of GuidoZ
Sent: Tuesday, December 28, 2004 3:17 PM
To: Kevin
Cc: Carilda A Thomas; full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] List of worm and trojan files

Assuming the attacker is competent, the only way to "clean" 
a deeply 
compromised machine is to reformat the drive and start from scratch.
The truly paranoid will question whether just formatting 
the drive is 
sufficient.

This isn't necessarily the case. While it will get the system 
up and going again (and clean for the moment), if you don't 
do any root cause analysis, then the problem will likely just 
return. You need to do some investigating and figure out WHAT 
the problem is and HOW it got there. Otherwise you haven't 
fixed anything.

This goes for any incident. Spyware/Adware/virus/trojan/worm 
or your fav malware... they all have to get onto the system 
somehow. Without knowing how and just reformatting, how have 
you fixed the actual issue at hand?

One of the definitions of insanity: "Doing the same thing and 
expecting a different result". Therefore, it's certifiably 
insane to reload the system (to the previous state) and 
expect it to not be reinfected. =)

--
Peace. ~G


On Thu, 23 Dec 2004 23:03:39 -0600, Kevin <kkadow () gmail com> wrote:
Carilda A Thomas <cat () the-cat com> wrote:
I have been looking but I cannot find a list all in one 
place of the 
various illegitimate files that various worms and trojans install 
into Microsoft systems.

What'd really help here is a list of MD5 checks for "known bad"
binaries.  Obviously a custom build of sdbot or just a 
simple hexedit 
would defeat this, but such a list would still have value against 
automated attacks, etc.

Perhaps I should clarify about this list thing:  A friend 
of mine is 
apparently running a rogue email server and a rogue ftp 
server, and 
none of the virus checkers we have tried will determine 
what program 
or where.  I looked for a windows equivalent to lsof but there 
doesn't appear to be one -

Sysinternals has applications that, taken in combination, 
do much of 
what 'lsof' does under Unix.

Specifically, tcpview
(http://www.sysinternals.com/ntw2k/source/tcpview.shtml) 
will show you 
any listening sockets, the associated process, and the 
location from 
which the process launched.  This should suffice to locate 
a rogue FTP 
service on a Windows PC.

the one I found can only determine the program if
it sees a packet go by and cannot find a quiescent 
program.  The A/V 
checkers do not flag an email server, considering it a legitimate 
program.  Task manager is also destroyed, so there is no 
help there.  
I was hoping to find a list of illegitimate files for 
which I could 
check.

Assuming the attacker is competent, the only way to "clean" 
a deeply 
compromised machine is to reformat the drive and start from scratch.
The truly paranoid will question whether just formatting 
the drive is 
sufficient.

Kevin Kadow
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault