[svlug] botnets
Joe Buck
Joe.Buck at synopsys.COM
Mon Jan 8 11:46:51 PST 2007
On Mon, Jan 08, 2007 at 11:14:54AM -0800, John Conover wrote:
> http://www.derks.it/tools.html
>
> is kind'a neat-its clever. Very simple way of detecting malware and
> rootkits-runs out of cron several times an hour, so is stingy with
> resources.
To defeat that, if I were a bad guy I'd just make sure that only
ordinary and expected programs access the Internet. For example,
invoke "mutt" to send spam, invoke "wget" to download any files needed
by the bot, use ssh/scp to access remote systems, etc. That tool
will say that it's all normal. The malware programs would just invoke
these tools to do all the actual work.
More information about the Svlug
mailing list