Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Tools for checking for presence of adware remotely

from [Harlan Carvey] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Tools for checking for presence of adware remotely
Date: Wed, 30 Jun 2004 18:31:41 -0700 (PDT) 
-aditya


Sure...Perl scripts.  As a security admin in an

FTE

position, I had scripts that checked all systems
within the domain for entries in the ubiquitous

'Run'

key, as well as for BHOs.  Easy stuff, pretty

trivial, actually.

but then you would have to keep on updating your
bhos and other sigs, and what about the spyware that
when removed from the run key refuse to let the
network connections operate? how do u take care of
them ?


You need to go back and read what I posted again.  I
never said anything about removing anything...all I
did was check.  By querying the BHO listings and the
entries in the Run key (and others), I was able to
narrow down the systems that needed to be visited
personally.  

It's not difficult to figure out how things work on
Windows systems.  Once you find that out, it's pretty
simple.  I will defer to Marcus Ranum's title of
"artificial ignorance" to describe how the Perl
scripts work...by identifying those things that are
known to be 'good' entries and filtering those out,
you're left with the suspicious stuff.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] Sandeep Sengupta has invited you to open aGmail account, Aditya, ALD [ Aditya Lalit Deshmukh ]
Next by Date:  Re: [Full-Disclosure] Web sites compromised by IIS attack, Paul Schmehl
Previous by Thread:  Re: [Full-Disclosure] Tools for checking for presence of adware remotely, Aditya, ALD [ Aditya Lalit Deshmukh ]
Next by Thread:  Re: [Full-Disclosure] Tools for checking for presence of adware remotely, Aditya, ALD [ Aditya Lalit Deshmukh ]
Indexes:  [Date] [Thread] [Top] [All Lists]