SANS ISC: Spyware Tool Kit, OSPF Filtering & Authentication, Port 559 Traffic Spike - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Anti-Spyware Tool Kit

Yesterday's diary entry solicited a number of replies regarding the "tool kits" people use for fighting spyware, malware and viruses. I've collated the most popular, from both e-mail submissions and some from the Handlers themselves. This list is not necessarily complete in anyway...just a starter for people to help build their own kit.

Tools:

Spybot - Search & Destroy : http://security.kolla.de/ or http://www.safer-networking.org
Ad-Aware: http://www.lavasoftusa.com/software/adaware/
SwatIt: http://www.swatit.org
TDS-3 - Trojan Defence Suite http://tds.diamondcs.com.au/
TrojanHunter: http://www.misec.net/trojanhunter
TheCleaner: http://www.moosoft.com/
BHOdemon http://www.spychecker.com/download/download_bhodaemon.html
SpySweeper: http://www.webroot.com/
Process Explorer http://www.sysinternals.com/
HijackThis http://www.spywareinfo.com/~merijn/
AntiVir: http://www.free-av.com/
AVG: http://www.grisoft.com/us/us_index.php

Sites:

Rogue/Suspect Anti-Spyware Products & Web Sites: http://www.spywarewarrior.com/rogue_anti-spyware.htm
Broadband Reports (aka DSL Reports): http://www.dslreports.com/forum/security,1

Please note, some or all of these tools are NOT for the novice, and should be used with GREAT care. If you are not careful, you may damage parts of your operating system.

OSPF Filtering & Authentication

Yesterday, Cisco released an advisory regarding a vulnerability in their OSPF implementation that could result in a DOS of a router. The notice also provided links to updated software that should resolve the issue. However, there are a number of SOPs (standard operating procedures) that router admins should be following that will also help mitigate this situation. In the case of OSPF, the protocol should be filtered at your borders, if possible, running only on "internal" interfaces, and authentication should be required. The following are links that should get you started:

Cisco Sample Configuration: http://www.cisco.com/warp/public/104/25.shtml
Another Sample Configuration: http://www.tech-recipes.com/cisco_router_tips408.html
Port 559 Scanning, Request for Packets

We have noted a marked increase in Port 559 scanning. This port may be related to the Domwis backdoor. Please submit any packet captures for this port to http://isc.sans.org/contact.php

More information here:

http://www.dshield.org/port_report.php?port=559&recax=1&tarax=2&srcax=2&percent=N&days=40&Redraw=
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.domwis.html
----------------------------------------------------------------

Handler-on-Duty: Dave Brookshire <dsb AT rlx DOT com>