> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Michael Scheidell > Sent: Thursday, 24 July 2003 11:09 p.m. > To: Leif Sawyer > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Win32 Cisco Exploit > > Sometimes we run things like this on our 'judas goat' computer. > Not only is it not on our corporate network, but uses a different internet > provider. > > We have sniffer^h^h^h^h^h^h^h snorter on it to watch the traffic. > > We run full sysdifs before and after, and just to be double paranoid, put > the ghost image back on afterwards.. Don't forget to lock out the flash > bios update on the computer.
For these "suspicious" binaries, I'd always suggest running them on an isolated computer (as you already do). Also, there is a very nice utility Roxio (now Symantec?) makes called GoBack which allows you to trace exactly what a process did and revert to the previous state. I've been using it to test various viruses and worms as it will print very nicely absolutely everything that happened. You might want to check it on: http://www.symantec.com/goback/ Regards, Bojan Zdrnja _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
