The other option for a third party tool is Gargoyle
from WetStone.
http://www.wetstonetech.com/page/page/1104418.htm
JR
--- "Shannon.ONeil" <Shannon.ONeil@target.com> wrote:
Scott,
... A few thoughts, after which you can say "I did
that already!"
A) files associated w/ trojans
1> As you mentioned Enscripts, I gather you own
EnCase. I
would suggest exporting out the
victim drive and scanning with an enterprise AV
scanner.
2> Perform a thorough timeline analysis around any
.exe, .com,
.scr, or .pif files identified by AV.
3> A complete file signature / named extension
review to look
for files that aren't what they say they are.
B) files changed / updated....
1> Turn ALL security event logs up to max. If
it's a
server-class and the logs are rolling, use something
like "dumpsec.exe" to ship the logs off-box.
Focus on
"file and object access", and "process tracking"
if you can handle the event rate.
1> Suspicions regarding trojans and backdoors for
which you do
not have an AV sig are best
hunted on the wire, searching for listening ports
or
RFC protocol violations.
2> The specific program MS Terminal Sevices Client
(mstsc.exe,
aka Remote Desktop) when launched from
the aggressor will connect with rdp.exe on the
victim.
Standard C:\Documents and Settings entries
should occur, primarily the user registry hive in
the
hidden file, ntuser.dat.
As I said, you may have done all of these.... and I
need to turn my
focus back to a project.
Good luck and let us know how it goes.
Shannon O'Neil
Security Architect, EnCE
Target Information Security Group
612-304-5071
------------------------------------------------------------------------
-----------------------------
For windows 2000 & XP:
Has anyone seen any tools that will identify, in an
image, files
associated with Trojans? ( EnScripts or other tools?
)
And
Are any files changed / updated / connections logged
when remote desktop
( Windows ) is used to access a machine remotely?
Scott Greene
Great Scott Enterprises, Inc.
Tucson, Az 520-795-7166 / 520-722-6796 Fax
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management and
tracking system please see:
http://aris.securityfocus.com
<http://aris.securityfocus.com/>
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management
and tracking system please see:
http://aris.securityfocus.com
=====
Thanks -
James S. Ringold III
jringold@yahoo.com
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
