Day 21 - Removing Bots, Keyloggers, and Spyware
Yesterday, we tackled the "mother of all malware", rootkits. Today, we are looking for you recipies to erradicate lesser evils: Bots, Keyloggers and Spyware. Of course, with the erradication of such malware, another important step is to determine the exact damage to the information on the system. What was altered by the bot? What was stolen?
As always, please use the comment feature below (you need to log in), or sent your comments and suggestions to our handler team via our contact form.
Update
The responses to this topic can be summarized as "you need to know what you got first".
In order to accurately identify malware added to your system, you need to know exactly what is supposed to be on your system in the frist place. Readers suggested tools like tripwire and aide. However, if you ever tried to use these tools, they quickly blow up if you don't have good change control. If you don't have change control, then these tools will drown you in false positives.
One reader suggested the use of backup tapes to find a "last known good version" of the system. But then again, the only way to know if that tape is not infected is to know what's supposed to be on the tape in the first place.
As with rootkits, the need to rebuild came up again. Rebuilding compromissed systems is still important. But you always end up importing some "tainted" data from backups. For example, you may restore a customer database from backups. But what if the root of the evil was a SQL injection flaw, and your database is now peppered with malicious javascript references?
Other responses focused on detection. I guess we can call it a consensus that anti-malware is not to be trusted. Network based detection, in particular looking for exfiltrated data and outbound firewall rules seem to work the best (in addition to the whitelist approach)
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Wireshark 1.0.4 released
Wireshark, our all-time favorite protocol analyzer, released a new version (1.0.4). The new version includes a number of security fixes. For details, see http://www.wireshark.org/news/20081020.html .
Just by its nature of including a large number of protocol parsers, Wireshark is a somewhat risky program. To mitigate the risk, I personally prefer to collect traffic using a simpler program like tcpdump, and later analyze the traffic in wireshark using a low privilege account.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago