Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Malware/trojan attacks

from [lucretias] Network Security [Permanent Link]
Subject: RE: Malware/trojan attacks
Date: Thu, 26 Oct 2006 18:21:39 -0600 
Harlan


Just out of curiosity, what are you seeing that leads you to
say this?  I'm not sure that I see anything in Richard's
original email that suggests a rootkit at this point.


I have seen broken or failed attempts that resemble this.  Not identical or
using the same IP's, but using a trojan to infect, then quickly get the
backdoors in place, but they don't work or may not work.  I don't know if it
is part of a rootkit, or other malware, it simply reminded me of this event
so I thought I'd mention it.


You should determine (if possible) what rootkit has infected the
machine.
It sounds like a new variant or perhaps a new tool altogether.


Again, what leads you to think this, if you don't mind me asking?


What leads me to ask to check for rootkits?  Well there is a variety of
software available that can do this.  Why not?  Maybe something (else)
suspicious will pop up.

I wasn't trying to be conclusive, just making a suggestion.  Sorry if anyone
misunderstood as a result.


I would suggest wiping the box and rebuilding it if you cannot
determine exactly what is the culprit or any way to clean it.


Hhhmmm...if it is a rootkit, then perhaps wiping/reinstalling
may be the way to go, but I'd suggest further investigation
and a root cause analysis first.  Even if Richard were to
find out what the malware is (looks like an IRCbot at this
point), without a root cause analysis (and subsequent actions
as a result), the system will likely be reinfected all over again.


I'd agree.  Further analysis is warranted.

But if it was a simple trojan a detection and clean would solve the problem.
Since there appears to be some unknown variables still suspect, I'd look at
it like a rootkit, if it turns into a simple spam or ddos tool then so be
it.  If it's a bot, then that is like many, many different malwares...what
the bot does is certainly more important.


Cheers,

James Friesen, CIO
Lucretia Enterprises
Our World Is Here
info at lucretia dot ca
http://lucretia.ca




------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Malware/trojan attacks, Harlan Carvey
Previous by Thread:  RE: Malware/trojan attacks, Harlan Carvey
Next by Thread:  Re: Malware/trojan attacks, krokofish
Indexes:  [Date] [Thread] [Top] [All Lists]