Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: what is the best procedure to track down a potentially new virus/wor

from [GuidoZ] Network Security [Permanent Link]
Subject: Re: what is the best procedure to track down a potentially new virus/worm/etc?
Date: Tue, 14 Dec 2004 18:59:50 -0500 
Hello Rodrigo,

Glad you were able to apply a "band-aid" to get it under control temporarily.


My question is, what do you think is the best procedure to track down
the executables responsible for this behavior? After tracking them
down, I could submit the sample to several online scanners in order to
determine which specific malware is affecting the PCs.

It it were UNIX, I could use commands like socklist and netstat to
track down the malware processes. But in Windows XP, I don't know what
to use. Are there any built-in utilities? Some freeware stuff? All
help is welcome.


A useful program for Windows is freeware from Foundstone called Fport:
- http://www.foundstone.com/resources/proddesc/fport.htm

Once you've narrowed down the EXEs, you could submit it to a place
like VirusTotal:
- http://www.VirusTotal.com

This will scan the EXEs with many different AV engines for known
malware (even spyware/adware from some engines). They will also
automatically send your malware sample to all engines used. (To
disable this, click the "Distribute" icon next to the file submission
line.)

Nick FitzGerlad also put up a list some time ago of addresses to
submit samples too. If any of these are out of date, please let me
know and/or message the list with an update:

Authentium (Command Antivirus)  <virus@authentium.com>
BitDefender                     <virus_submission@bitdefender.com>
Computer Associates (US)        <virus@ca.com>
Computer Associates (Vet/EZ)    <ipevirus@vet.com.au>
DialogueScience (Dr. Web)       <Antivir@dials.ru>
Eset (NOD32)                    <sample@nod32.com>
F-Secure Corp.                  <samples@f-secure.com>
Frisk Software (F-PROT)         <viruslab@f-prot.com>
Grisoft (AVG)                   <virus@grisoft.cz>
H+BEDV (AntiVir, Vexira engine) <virus@antivir.de>
Kaspersky Labs                  <newvirus@kaspersky.com>
Network Associates (McAfee)     <virus_research@nai.com>
 (use a ZIP file with the password 'infected' without the quotes)
Norman (NVC)                    <analysis@norman.no>
Panda Software                  <labs@pandasoftware.com>
Sophos Plc.                     <support@sophos.com>
Symantec (Norton)               <avsubmit@symantec.com>
Trend Micro (PC-cillin)         <virus_doctor@trendmicro.com>
 (Trend may only accept files from users of its products)

NOTE:  Resending this to the list - Mark Fossi caught a small snafu
that has now been fixed with the email addresses. He also informed me
of BitDefender's address, which has been added to the list above.
Resending to Rodrigo as well to help avoid confuson. =)

HTH!

--
Peace. ~G


On Fri, 10 Dec 2004 18:50:55 +0000, Rodrigo Ventura <yoda@isr.ist.utl.pt> wrote:


I have a couple of PCs (running XP) which I'm sure are infected with
some kind of malware. Common anti-virus such as OfficeScan and
Symantec do not detect them. They seem to be irc bots. They try to
connect to IRC servers, using a password, and receive from there
instructions on what to do, namely scan for LSASS vulnerabilities by
scanning the entire IP subnet in random. I sniffed the IRC servers IPs
and passwords, and confirmed my suspicions, after entering in those
IRC servers (and being banned as soon as detected by the
admins). Moreover, they open backdoors, which accoriding to the kind
of responses to a telnet, seem spam relayers, or FTP servers (not sure
which).

(My response to this threat was to block the IPs of the suspicious IRC
servers in the firewall. This calmed down the packet storms I've been
watching...)

My question is, what do you think is the best procedure to track down
the executables responsible for this behavior? After tracking them
down, I could submit the sample to several online scanners in order to
determine which specific malware is affecting the PCs.

It it were UNIX, I could use commands like socklist and netstat to
track down the malware processes. But in Windows XP, I don't know what
to use. Are there any built-in utilities? Some freeware stuff? All
help is welcome.

And regarding the IRC server IPs, is it worthwhile to report them to
the authorities specified in the whois databases?

Cheers,

Rodrigo

--

*** Rodrigo Martins de Matos Ventura <yoda@isr.ist.utl.pt>
***  Web page: http://www.isr.ist.utl.pt/~yoda
***   Teaching Assistant and PhD Student at ISR:
***    Instituto de Sistemas e Robotica, Polo de Lisboa
***     Instituto Superior Tecnico, Lisboa, PORTUGAL
*** PGP fingerprint = 0119 AD13 9EEE 264A 3F10  31D3 89B3 C6C4 60C6 4585
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: what is the best procedure to track down a potentially new virus/worm/etc?, John Barton
Next by Date:  Re: what is the best procedure to track down a potentially new virus/worm/etc?, Rich Gardner
Previous by Thread:  Re: what is the best procedure to track down a potentially new virus/worm/etc?, Rich Gardner
Next by Thread:  RE: what is the best procedure to track down a potentially new virus/worm/etc?, Roger Padilla Jr
Indexes:  [Date] [Thread] [Top] [All Lists]