lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: toddtowles at brookshires.com (Todd Towles)
Subject: List of worm and trojan files

GuidoZ is correct. I have seen companies ship new PCs out to customers
because of very bad infections and spyware...but of course they don't
patch them with anything. (Not even the LSASS holes)...so in two weeks
you have the same mess. 

I look at it and see Sasser, SD-Bot and I know want you have to do to
stop it. A huge corporation can't do the same?

> -----Original Message-----
> From: full-disclosure-bounces@...ts.netsys.com 
> [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of GuidoZ
> Sent: Tuesday, December 28, 2004 3:17 PM
> To: Kevin
> Cc: Carilda A Thomas; full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] List of worm and trojan files
> 
> > Assuming the attacker is competent, the only way to "clean" 
> a deeply 
> > compromised machine is to reformat the drive and start from scratch.
> > The truly paranoid will question whether just formatting 
> the drive is 
> > sufficient.
> 
> This isn't necessarily the case. While it will get the system 
> up and going again (and clean for the moment), if you don't 
> do any root cause analysis, then the problem will likely just 
> return. You need to do some investigating and figure out WHAT 
> the problem is and HOW it got there. Otherwise you haven't 
> fixed anything.
> 
> This goes for any incident. Spyware/Adware/virus/trojan/worm 
> or your fav malware... they all have to get onto the system 
> somehow. Without knowing how and just reformatting, how have 
> you fixed the actual issue at hand?
> 
> One of the definitions of insanity: "Doing the same thing and 
> expecting a different result". Therefore, it's certifiably 
> insane to reload the system (to the previous state) and 
> expect it to not be reinfected. =)
> 
> --
> Peace. ~G
> 
> 
> On Thu, 23 Dec 2004 23:03:39 -0600, Kevin <kkadow@...il.com> wrote:
> > Carilda A Thomas <cat@...-cat.com> wrote:
> > >I have been looking but I cannot find a list all in one 
> place of the 
> > >various illegitimate files that various worms and trojans install 
> > >into Microsoft systems.
> > 
> > What'd really help here is a list of MD5 checks for "known bad"
> > binaries.  Obviously a custom build of sdbot or just a 
> simple hexedit 
> > would defeat this, but such a list would still have value against 
> > automated attacks, etc.
> > 
> > > Perhaps I should clarify about this list thing:  A friend 
> of mine is 
> > > apparently running a rogue email server and a rogue ftp 
> server, and 
> > > none of the virus checkers we have tried will determine 
> what program 
> > > or where.  I looked for a windows equivalent to lsof but there 
> > > doesn't appear to be one -
> > 
> > Sysinternals has applications that, taken in combination, 
> do much of 
> > what 'lsof' does under Unix.
> > 
> > Specifically, tcpview
> > (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) 
> will show you 
> > any listening sockets, the associated process, and the 
> location from 
> > which the process launched.  This should suffice to locate 
> a rogue FTP 
> > service on a Windows PC.
> > 
> > the one I found can only determine the program if
> > > it sees a packet go by and cannot find a quiescent 
> program.  The A/V 
> > > checkers do not flag an email server, considering it a legitimate 
> > > program.  Task manager is also destroyed, so there is no 
> help there.  
> > > I was hoping to find a list of illegitimate files for 
> which I could 
> > > check.
> > 
> > Assuming the attacker is competent, the only way to "clean" 
> a deeply 
> > compromised machine is to reformat the drive and start from scratch.
> > The truly paranoid will question whether just formatting 
> the drive is 
> > sufficient.
> > 
> > Kevin Kadow
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ