| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: uberguidoz at gmail.com (GuidoZ) Subject: List of worm and trojan files > Assuming the attacker is competent, the only way to "clean" a deeply > compromised machine is to reformat the drive and start from scratch. > The truly paranoid will question whether just formatting the drive is > sufficient. This isn't necessarily the case. While it will get the system up and going again (and clean for the moment), if you don't do any root cause analysis, then the problem will likely just return. You need to do some investigating and figure out WHAT the problem is and HOW it got there. Otherwise you haven't fixed anything. This goes for any incident. Spyware/Adware/virus/trojan/worm or your fav malware... they all have to get onto the system somehow. Without knowing how and just reformatting, how have you fixed the actual issue at hand? One of the definitions of insanity: "Doing the same thing and expecting a different result". Therefore, it's certifiably insane to reload the system (to the previous state) and expect it to not be reinfected. =) -- Peace. ~G On Thu, 23 Dec 2004 23:03:39 -0600, Kevin <kkadow@...il.com> wrote: > Carilda A Thomas <cat@...-cat.com> wrote: > >I have been looking but I cannot find a list all in one > >place of the various illegitimate files that various worms > >and trojans install into Microsoft systems. > > What'd really help here is a list of MD5 checks for "known bad" > binaries. Obviously a custom build of sdbot or just a simple hexedit > would defeat this, but such a list would still have value against > automated attacks, etc. > > > Perhaps I should clarify about this list thing: A friend > > of mine is apparently running a rogue email server and a > > rogue ftp server, and none of the virus checkers we have > > tried will determine what program or where. I looked for > > a windows equivalent to lsof but there doesn't appear to > > be one - > > Sysinternals has applications that, taken in combination, do much of > what 'lsof' does under Unix. > > Specifically, tcpview > (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will show you > any listening sockets, the associated process, and the location from > which the process launched. This should suffice to locate a rogue FTP > service on a Windows PC. > > the one I found can only determine the program if > > it sees a packet go by and cannot find a quiescent > > program. The A/V checkers do not flag an email server, > > considering it a legitimate program. Task manager is also > > destroyed, so there is no help there. I was hoping to > > find a list of illegitimate files for which I could check. > > Assuming the attacker is competent, the only way to "clean" a deeply > compromised machine is to reformat the drive and start from scratch. > The truly paranoid will question whether just formatting the drive is > sufficient. > > Kevin Kadow > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists