Re: [Clamav-users] Spyware detection...
On 9/15/05, Joanna Roman <[EMAIL PROTECTED]> wrote: > > > Whoever is about to submit the spywares, may I ask > whether those spywares come in via port 80 or port 21 > ? > > 95% of the spyware I have dealt with sends out data from itself on one of 3 channels: 1) 80/tcp 2) 443/tcp 3) 53/tcp or udp The rest of it sends out data via some other port (8080, 6667, choose something on the day). Getting the spyware is usually done via port 80. Although the really bad spyware which is mostly malware may get downloaded from port 443, 8080 or some random port on a compromised botnet. I have not seen much FTP these days... but it was only about 100 or so tools I looked at, and I know that is a small subset of some of this crap. -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
--- "Christopher X. Candreva" <[EMAIL PROTECTED]> wrote: > On Mon, 12 Sep 2005, Stephen J. Smoogen wrote: > > > I am currently looking at doing the same thing. I > have a set of boxes > > that I am planning to 'infect' with spyware and > then start making > > signatures for them. It is a rather slow process > at the moment.. > > There doesn't seem to be any reason a separate > project couldn't provide a > signature package that worked with Clam to look for > Spyware (or Spam, or > anti-Brady Bunch messages, or whatever for that > matter). > > -Chris > > == > Chris Candreva -- [EMAIL PROTECTED] -- (914) > 967-7816 > WestNet Internet Services of Westchester > http://www.westnet.com/ > _ > http://lurker.clamav.net/list/clamav-users.html > Whoever is about to submit the spywares, may I ask whether those spywares come in via port 80 or port 21 ? __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
And this just proves that spending 2 hours actively trying to look for something... and failing should be just cause for my internet license to be revoked. Sorry about the obvious question with obvious answer. On 9/15/05, Jason Englander <[EMAIL PROTECTED]> wrote: > On Thu, 15 Sep 2005, Stephen J. Smoogen wrote: > > > Well I am interested in seeing how this could be done. What is the > > documentation I need to start looking at on how to make signatures for > > clamav? > > http://www.clamav.net/ > -> > documentation > -> > latest > -> > signatures.pdf > > (http://www.clamav.net/doc/latest/signatures.pdf) > > -- > Jason Englander <[EMAIL PROTECTED]> > 394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA > > ___ > http://lurker.clamav.net/list/clamav-users.html > -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
On Thu, 15 Sep 2005, Stephen J. Smoogen wrote: Well I am interested in seeing how this could be done. What is the documentation I need to start looking at on how to make signatures for clamav? http://www.clamav.net/ -> documentation -> latest -> signatures.pdf (http://www.clamav.net/doc/latest/signatures.pdf) -- Jason Englander <[EMAIL PROTECTED]> 394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
Well I am interested in seeing how this could be done. What is the documentation I need to start looking at on how to make signatures for clamav? On 9/14/05, Dan MacNeil <[EMAIL PROTECTED]> wrote: > >Thomas Hruska wrote: > [asks in a somewhat forceful way that clam detect spyware] > > Perhaps you might offer to pay the clamav group to add the features you > desire. > > "free" is speech not beer. > > > ___ > http://lurker.clamav.net/list/clamav-users.html > -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
Thomas Hruska wrote: [asks in a somewhat forceful way that clam detect spyware] Perhaps you might offer to pay the clamav group to add the features you desire. "free" is speech not beer. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
> > > > --- Thomas Hruska <[EMAIL PROTECTED]> wrote: > > Aren't there already spyware signatures in ClamAV > database ? > > http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=ware&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&.submit=&.cgifields=database&.cgifields=case-sensitivity&.cgifields=search-type&.cgifields=display Apparently not to Mr. Hruska's satisfaction. However, since something that removes them is an important part of the problem, and since ClamAV doesn't do that, it is probably not a big help that ClamAV can detect them. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
On Mon, 12 Sep 2005, Stephen J. Smoogen wrote: > I am currently looking at doing the same thing. I have a set of boxes > that I am planning to 'infect' with spyware and then start making > signatures for them. It is a rather slow process at the moment.. There doesn't seem to be any reason a separate project couldn't provide a signature package that worked with Clam to look for Spyware (or Spam, or anti-Brady Bunch messages, or whatever for that matter). -Chris == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
On 9/11/05, Thomas Hruska <[EMAIL PROTECTED]> wrote: > Thank you but I already know the tool doesn't exist or I wouldn't be > wandering around this forum. Since the tool doesn't exist, I found the > _closest_ possible tool to the tool I am looking for and ClamAV happens > to be that tool. You should be proud that your tool is just shy of > being able to do something system administrators around the world want > to be able to do. Imagine the joy a sysadmin could experience by being > able to remotely scan a thousand plus machines on the LAN, and, in a > matter of 30 minutes, know which ones have spyware or have a virus > installed all from one tool. Now I know this isn't what ClamAV was > designed for, but that's the sort of thing you have to expect from > software and users - the unexpected but creative uses for a product. > Given that it should only take a week or two to gather signatures from > the various spyware vendor binaries, I don't see why you all are so > adamant about not adding rudimentary detection. To me, spyware is a > virus. The only difference is that it wreaks havoc on the human psyche > instead of wreaking havoc on binary data. > I am currently looking at doing the same thing. I have a set of boxes that I am planning to 'infect' with spyware and then start making signatures for them. It is a rather slow process at the moment.. -- Stephen J Smoogen. CSIRT/Linux System Administrator ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Spyware detection...
I think what you're looking for is Spybot Search & Destroy. Google it because I forgot the exact URL. And it's completely free. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
--- Thomas Hruska <[EMAIL PROTECTED]> wrote: > Dennis Peterson wrote: > > Meanwhile, why don't you create signatures for > known spyware and place > > them in your configuration? ClamAV allows this, > you know. If you get good > > at it you can share them. > > > > dp > > Actually I didn't know that. I was under the > impression that it was > completely central database driven - which I > recognize as meaning > signatures have to be added to the central database > and distributed > before the AV program recognizes it. I will look at > adding signatures > into the configuration file as an option for a > possible course of > action. Thanks. > > -- > Thomas Hruska > > ___ > http://lurker.clamav.net/list/clamav-users.html > Aren't there already spyware signatures in ClamAV database ? http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=ware&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&.submit=&.cgifields=database&.cgifields=case-sensitivity&.cgifields=search-type&.cgifields=display __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
Dennis Peterson wrote: Meanwhile, why don't you create signatures for known spyware and place them in your configuration? ClamAV allows this, you know. If you get good at it you can share them. dp Actually I didn't know that. I was under the impression that it was completely central database driven - which I recognize as meaning signatures have to be added to the central database and distributed before the AV program recognizes it. I will look at adding signatures into the configuration file as an option for a possible course of action. Thanks. -- Thomas Hruska ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
Thomas Hruska said: > Dennis Peterson wrote: > > Thank you but I already know the tool doesn't exist or I wouldn't be > wandering around this forum. Since the tool doesn't exist, I found the > _closest_ possible tool to the tool I am looking for and ClamAV happens > to be that tool. You should be proud that your tool is just shy of > being able to do something system administrators around the world want > to be able to do. Imagine the joy a sysadmin could experience by being > able to remotely scan a thousand plus machines on the LAN, and, in a > matter of 30 minutes, know which ones have spyware or have a virus > installed all from one tool. Now I know this isn't what ClamAV was > designed for, but that's the sort of thing you have to expect from > software and users - the unexpected but creative uses for a product. > Given that it should only take a week or two to gather signatures from > the various spyware vendor binaries, I don't see why you all are so > adamant about not adding rudimentary detection. To me, spyware is a > virus. The only difference is that it wreaks havoc on the human psyche > instead of wreaking havoc on binary data. Imagine the joy a sysadmin could experience by not running Windows. That is what I've done and it works pretty well. However - for my fellow admins who cannot enjoy that experience there is Ad-Aware and similar tools and they run autonomously everywhere it's installed. Most have set it up to run during reboot and at least once a day. These are the tools I'd be running while we're all sitting our hands waiting for the rest of the world to get behind your notion that spyware is a virus and that software providers such as this group should do something about it for free. Meanwhile, why don't you create signatures for known spyware and place them in your configuration? ClamAV allows this, you know. If you get good at it you can share them. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
Dennis Peterson wrote: Thomas Hruska said: Dennis Peterson wrote: Thomas Hruska said: I hate to crosspost, but since it appears no one reads the Win32 list, I switched my subscription to the main users list. Everything you require can be found at Google. As you observed, ClamAV is not in the spyware detection business. dp No it can't because I've spent the past two days searching Google going through thousands of results. Google has told you what you need - the tool you are after does not exist. dp Thank you but I already know the tool doesn't exist or I wouldn't be wandering around this forum. Since the tool doesn't exist, I found the _closest_ possible tool to the tool I am looking for and ClamAV happens to be that tool. You should be proud that your tool is just shy of being able to do something system administrators around the world want to be able to do. Imagine the joy a sysadmin could experience by being able to remotely scan a thousand plus machines on the LAN, and, in a matter of 30 minutes, know which ones have spyware or have a virus installed all from one tool. Now I know this isn't what ClamAV was designed for, but that's the sort of thing you have to expect from software and users - the unexpected but creative uses for a product. Given that it should only take a week or two to gather signatures from the various spyware vendor binaries, I don't see why you all are so adamant about not adding rudimentary detection. To me, spyware is a virus. The only difference is that it wreaks havoc on the human psyche instead of wreaking havoc on binary data. -- Thomas Hruska ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
Thomas Hruska said: > Dennis Peterson wrote: >> Thomas Hruska said: >> >>>I hate to crosspost, but since it appears no one reads the Win32 list, I >>>switched my subscription to the main users list. >> >> >> Everything you require can be found at Google. As you observed, ClamAV >> is >> not in the spyware detection business. >> >> dp > > No it can't because I've spent the past two days searching Google going > through thousands of results. Google has told you what you need - the tool you are after does not exist. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
Dennis Peterson wrote: Thomas Hruska said: I hate to crosspost, but since it appears no one reads the Win32 list, I switched my subscription to the main users list. Everything you require can be found at Google. As you observed, ClamAV is not in the spyware detection business. dp No it can't because I've spent the past two days searching Google going through thousands of results. The tool I'm looking for needs to be: 1) Command-line driven. 2) Reputable and well-received. 3) Writes its output to stdout. 4) Has a decent set of command line options. 5) Scans for spyware. 6) Has the option to only detect the existence of spyware, not remove it. ClamAV is the closest thing I've found...only it doesn't do spyware detection. I'm asking for detection only, not removal. Since virus writers and spyware vendors (companies who specialize in writing spyware) produce binaries, and since signatures can be gathered from binaries, ClamAV seems like the tool I want. Only problem is that it doesn't detect spyware vendor binaries. I could care less if someone made a custom spyware solution for their application as long as the major vendors are detected. -- Thomas Hruska ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
Dale Walsh wrote: What your asking for sounds simple however, how do you establish detection?? Can't you use the existing signature scanning technology in ClamAV to identify known spyware vendors? Spyware vendors distribute either embedded libraries or have specific DLLs or EXEs - something is probably similar for each vendor to draw signatures from their toolkits. In fact, Lavasoft Adaware switched, a couple versions ago, to a signature database...very similar to how AV products work. I'm not asking to be able to determine if a custom spyware solution is spyware. Just cover the major spyware vendors with signatures and that will catch about 80 to 90 percent of the most popular spyware enabled applications out there, which is "good enough" for my purposes. -- Thomas Hruska ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
Thomas Hruska said: > I hate to crosspost, but since it appears no one reads the Win32 list, I > switched my subscription to the main users list. Everything you require can be found at Google. As you observed, ClamAV is not in the spyware detection business. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spyware detection...
On Sep 11, 2005, at 10:07 PM, Thomas Hruska wrote: I hate to crosspost, but since it appears no one reads the Win32 list, I switched my subscription to the main users list. I've got ClamAV working and that is all good and fine. However, I looked in the archives of the clamav-users list and saw that still as of June 2005, ClamAV is completely uninterested in at least detecting spyware. I have a problem with that. Here is how I define a virus: - A digital invasion of unwanted and undesired bits in a computer system designed to infiltrate and change the state in the system in a negative manner. Here is how I define spyware: - A digital invasion of unwanted and undesired bits in a computer system designed to infiltrate and change the psychological state of the user in a negative manner. Frankly, I could care less if you don't remove spyware from a system with ClamAV. What I need is a _reputable_ scanner that works from the command line to _detect_ if a system contains spyware. Since ClamAV isn't apparently going to be that tool and Google isn't turning up a reputable command-line anti-spyware solution with sufficient options, I would appreciate a pointer to a tool that does this. All I need is to have the tool tell me: - Yes there is spyware on the system. OR - No there isn't spyware on the system. I don't need it to disinfect/remove/whatever - simply recognize that there is spyware, what file contains it, and display a notification as such on stdout. Seems to me that this is something simple that ClamAV could easily implement in a very short amount of time. For those who don't want to scan for spyware, include a command-line switch to "turn off scanning for psychological manipulators (spyware, pranks, etc.)". However, since ClamAV is uninterested in doing anything even remotely simple like this, I need someone to point out a _reputable_ tool that is better than ClamAV that does psychological manipulator scanning from the command-line - preferably open source, but since nothing is turning up on SourceForge or Google, I'll be impressed if someone finds anything. -- Thomas Hruska What your asking for sounds simple however, how do you establish detection?? Currently what little there is that accomplishes this feat looks for specific files by name and watches specific ports in an attempt to determine what is spyware. ClamAV currently has the ability to determine these things with some additional programming but then an additional database would have to be implemented to perform the matches of files and some extra coding to watch ports for activity with the ability to either check on the calling app or from a list of ports to not watch. Then what will occur is that spyware writers will then target these ports making detection more difficult and change the name of the app. Currently you are the spyware detector, you seek out these files and examine apps that access ports that you know shouldn't have activity so if you want something, how about writing something and calling it ClamSPY??? -- Dale ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Spyware detection...
I hate to crosspost, but since it appears no one reads the Win32 list, I switched my subscription to the main users list. I've got ClamAV working and that is all good and fine. However, I looked in the archives of the clamav-users list and saw that still as of June 2005, ClamAV is completely uninterested in at least detecting spyware. I have a problem with that. Here is how I define a virus: - A digital invasion of unwanted and undesired bits in a computer system designed to infiltrate and change the state in the system in a negative manner. Here is how I define spyware: - A digital invasion of unwanted and undesired bits in a computer system designed to infiltrate and change the psychological state of the user in a negative manner. Frankly, I could care less if you don't remove spyware from a system with ClamAV. What I need is a _reputable_ scanner that works from the command line to _detect_ if a system contains spyware. Since ClamAV isn't apparently going to be that tool and Google isn't turning up a reputable command-line anti-spyware solution with sufficient options, I would appreciate a pointer to a tool that does this. All I need is to have the tool tell me: - Yes there is spyware on the system. OR - No there isn't spyware on the system. I don't need it to disinfect/remove/whatever - simply recognize that there is spyware, what file contains it, and display a notification as such on stdout. Seems to me that this is something simple that ClamAV could easily implement in a very short amount of time. For those who don't want to scan for spyware, include a command-line switch to "turn off scanning for psychological manipulators (spyware, pranks, etc.)". However, since ClamAV is uninterested in doing anything even remotely simple like this, I need someone to point out a _reputable_ tool that is better than ClamAV that does psychological manipulator scanning from the command-line - preferably open source, but since nothing is turning up on SourceForge or Google, I'll be impressed if someone finds anything. -- Thomas Hruska CubicleSoft ___ http://lurker.clamav.net/list/clamav-users.html
[clamav-users] Spyware detection
Which is the status of spyware detection withc clamav? I searched through viruses.db and could not find signatures for some samples of spyware. Previusly, I had some troubles with a sony vaio and tgcmd.exe (=spyware). I tried to detect it running clamscan via smbmount without result. Is it possible to add signatures for spyware in viruses.db? Has anyone else coped with spyware? I see a good opportunity for improvement of clam here. Whats you opinion? PS. See these links for more info on spyware: http://www.microdata.com/group/Care%20Tips%20and%20Techniques%20mtl/Spyware.htm http://fmcpherson.weblogger.com/2002/01/06 http://www.snark.com/support.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]