Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

Re: detecting targetted malware
From: "kevin fielder" <kevin.fielder () gmail com>
Date: Mon, 22 Jan 2007 14:21:47 +0000
Hi

What you are referring to is a 'white-list' of applications, e.g. you
have an application that runs at a low level and only allows a list of
approved or allowed applications to run.  These do not necessarily
need to scan you system as they can work at run-time - each time an
application of any sort tries to run the monitoring application checks
it against it's list off approved applications and decides whether it
can start or not (this obviously needs to be more than just the
application name some sort of checksum and / or other intelligence is
required to ensure a malicious application cannot masquerade as an
approved one).

Various tools can offer this service with varying degrees of
complexity / intelligence, AppSense springs to mind as one that
specializes in this service, but many desktop protection tools that
offer AV/ firewall / IDS etc also offer white / black list application
controls.

cheers

K




On 1/22/07, lsi <stuart () cyberdelix net> wrote:

This is probably patented and implemented already but nonetheless its
a new idea for me, so I mention it...

While mass-produced malware remains an issue for a most users, an
significant threat is also posed by malware customised for a specific
victim (so called 'targetted malware').  This threat is potentially
worse as an organisation cannot rely on traditional AV or anti-
spyware scanners to detect the targetted malware; as the malicious
code is customised it does not have an entry in AV/AS signature
databases.

Despite this, detecting customised code should be easy.  All that's
needed is a scanner.  It simply finds every piece of executable code
on a system.  It then compares each piece with its list of known-good
executables.  Any executable that is found but is not on the list is
an intruder.

This approach takes advantage of the fact that, unlike spam, we can
make a list of all our known-good items.

Stu

---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

---
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]