Re: Detecting Zombies?
- From: David Brown <david.brown@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 07 Sep 2008 19:35:18 +0200
John Oliver wrote:
On Thu, 04 Sep 2008 18:59:08 GMT, 7 wrote:Inside a dos box, enter netstat -a to list all the connections.
If should be about ten lines if idling.
You cannot trust anything a potentially-compromised host will tell you.
Utilities like netstat will probably be replaced with copies that will
not display the malicious traffic.
You're giving the malware authors (or their potential "users") too much credit. Malware will often use basic hiding mechanisms, such as hiding its files in explorer or the process from task manager, but there is little point doing anything more sophisticated on a windows machine. It would be a great deal of work making a windows version of netstat that didn't show your malware (on open source OS's it's easy - download the source, add a couple of lines of filter, re-compile), and virtually no victim is going to think of using it. Any admin will normally use something like Spybot Search and Destroy, or some other popular malware finder - not netstat.
.
- References:
- Detecting Zombies?
- From: DanB
- Re: Detecting Zombies?
- From: 7
- Re: Detecting Zombies?
- From: John Oliver
- Detecting Zombies?
- Prev by Date: Re: Activating routing
- Next by Date: Re: Detecting Zombies?
- Previous by thread: Re: Detecting Zombies?
- Next by thread: Re: Detecting Zombies?
- Index(es):
Relevant Pages
|
