Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Tools for checking for presence of adware remotely
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 30 Jun 2004 18:31:41 -0700 (PDT)

-aditya

Sure...Perl scripts.  As a security admin in an
FTE
position, I had scripts that checked all systems
within the domain for entries in the ubiquitous
'Run'
key, as well as for BHOs.  Easy stuff, pretty
trivial, actually.

but then you would have to keep on updating your
bhos and other sigs, and what about the spyware that
when removed from the run key refuse to let the
network connections operate? how do u take care of
them ?

You need to go back and read what I posted again.  I
never said anything about removing anything...all I
did was check.  By querying the BHO listings and the
entries in the Run key (and others), I was able to
narrow down the systems that needed to be visited
personally.  

It's not difficult to figure out how things work on
Windows systems.  Once you find that out, it's pretty
simple.  I will defer to Marcus Ranum's title of
"artificial ignorance" to describe how the Perl
scripts work...by identifying those things that are
known to be 'good' entries and filtering those out,
you're left with the suspicious stuff.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault