How about monitoring the wire for spyware traffic? I've compiled a couple snort signatures that seem to work ok. Most of them are somewhat prone to false positive because they simply look for text strings. This one is coded to monitor traffic going through a squid proxy....the logic could be modified so that it would work through an unproxied connection as well.
#http://www.armc.org/malware/ #The INTERNET_PROXIES variable should be set to servers that process a lot of internet traffic. # This is a rather broad definitions of a proxy. Things that should go here are: # Mail servers and scanners - they kindof proxy mail;) # Web proxies, cache servers, etc. var INTERNET_PROXIES [172.16.1.3] alert tcp $INTERNET_PROXIES any -> $HOME_NET 8080 (msg:"Gator updates"; content:"Host\: updateserver.gator.com"; flags: PA;) alert tcp $INTERNET_PROXIES any -> $HOME_NET 8080 (msg:"Installshield updates"; content:"Host\: updates.installshield.com"; flags: PA;) alert tcp $INTERNET_PROXIES any -> $HOME_NET 8080 (msg:"Comet Systems update"; content:"Host\: update.cc.cometsystems.com"; flags: PA;) alert ip $INTERNET_PROXIES any -> any any (msg:"Malware Keenvalue"; content:"Keenvalue";nocase;) alert ip $INTERNET_PROXIES any -> any any (msg:"Malware flowgo"; content:"flowgo";nocase;) alert ip $INTERNET_PROXIES any -> any any (msg:"Malware 2020search"; content:"2020search";nocase;) alert ip $INTERNET_PROXIES any -> any any (msg:"Malware rcprograms"; content:"rcprograms";nocase;) alert ip $INTERNET_PROXIES any -> any any (msg:"Malware gator"; content:"webpdpcookie";nocase;) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Haar Sent: Tuesday, June 08, 2004 7:01 PM To: [EMAIL PROTECTED] Subject: Spyware false positives? Hi there I am starting to see if we can use Nessus to find spyware on our LAN. It seems to work - but has a high false positive rate. I think what's happening is it looks for registry keys that are left behind by cleanup programs like SpyBot - so Nessus is effectively detecting hosts that *at some time* have had spyware installed on them - but can't differentiate between old and current infections. Is there a better way of doing this? Doesn't Spyware normally install actual programs that could be searched for? [I don't care about cookies! ;-)] Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
