Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Day 21 - Removing Bots, Keyloggers, and Spyware

Published: 2008-10-21
Last Updated: 2008-10-31 02:03:48 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Yesterday, we tackled the "mother of all malware", rootkits. Today, we are looking for you recipies to erradicate lesser evils: Bots, Keyloggers and Spyware. Of course, with the erradication of such malware, another important step is to determine the exact damage to the information on the system. What was altered by the bot? What was stolen?

As always, please use the comment feature below (you need to log in), or sent your comments and suggestions to our handler team via our contact form.

Update

The responses to this topic can be summarized as "you need to know what you got first".

In order to accurately identify malware added to your system, you need to know exactly what is supposed to be on your system in the frist place. Readers suggested tools like tripwire and aide. However, if you ever tried to use these tools, they quickly blow up if you don't have good change control. If you don't have change control, then these tools will drown you in false positives.

One reader suggested the use of backup tapes to find a "last known good version" of the system. But then again, the only way to know if that tape is not infected is to know what's supposed to be on the tape in the first place.

As with rootkits, the need to rebuild came up again. Rebuilding compromissed systems is still important. But you always end up importing some "tainted" data from backups. For example, you may restore a customer database from backups. But what if the root of the evil was a SQL injection flaw, and your database is now peppered with malicious javascript references?

Other responses focused on detection. I guess we can call it a consensus that anti-malware is not to be trusted. Network based detection, in particular looking for exfiltrated data and outbound firewall rules seem to work the best (in addition to the whitelist approach)

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: Awareness2008
0 comment(s)

Wireshark 1.0.4 released

Published: 2008-10-21
Last Updated: 2008-10-21 12:02:23 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Wireshark, our all-time favorite protocol analyzer, released a new version (1.0.4). The new version includes a number of security fixes. For details, see http://www.wireshark.org/news/20081020.html

Just by its nature of including a large number of protocol parsers, Wireshark is a somewhat risky program. To mitigate the risk, I personally prefer to collect traffic using a simpler program like tcpdump, and later analyze the traffic in wireshark using a low privilege account.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: patches wireshark
0 comment(s)
Diary Archives