lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: kkadow at gmail.com (Kevin)
Subject: List of worm and trojan files

Carilda A Thomas <cat@...-cat.com> wrote:
>I have been looking but I cannot find a list all in one
>place of the various illegitimate files that various worms
>and trojans install into Microsoft systems.

What'd really help here is a list of MD5 checks for "known bad"
binaries.  Obviously a custom build of sdbot or just a simple hexedit
would defeat this, but such a list would still have value against
automated attacks, etc.

> Perhaps I should clarify about this list thing:  A friend
> of mine is apparently running a rogue email server and a
> rogue ftp server, and none of the virus checkers we have
> tried will determine what program or where.  I looked for
> a windows equivalent to lsof but there doesn't appear to
> be one - 

Sysinternals has applications that, taken in combination, do much of
what 'lsof' does under Unix.

Specifically, tcpview
(http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will show you
any listening sockets, the associated process, and the location from
which the process launched.  This should suffice to locate a rogue FTP
service on a Windows PC.

the one I found can only determine the program if
> it sees a packet go by and cannot find a quiescent
> program.  The A/V checkers do not flag an email server,
> considering it a legitimate program.  Task manager is also
> destroyed, so there is no help there.  I was hoping to
> find a list of illegitimate files for which I could check.

Assuming the attacker is competent, the only way to "clean" a deeply
compromised machine is to reformat the drive and start from scratch. 
The truly paranoid will question whether just formatting the drive is
sufficient.

Kevin Kadow

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ