Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Scan tools

Scan tools 12 years 2 months ago #4871

  • sjk
  • sjk's Avatar
  • Offline
  • New Member
  • Posts: 8
  • Karma: 0
Hi ,

Does anyone know of any tool which could scan a computer and tell if there are any backdoors, worms, tunnels, etc once a software or a component is installed.

The main reason for asking this is we have a software component which is developed in VB and we would like to check if it creates any backdoors, worms etc on the installed machine or what would be the way to be sure that this component does not turn out to be vulnerable.

Please let me know.

Regards,
Satish
The administrator has disabled public write access.

Backdoors 12 years 2 months ago #4874

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
I don't know of a single utility that will guarantee to do this, but you could use a manual approach.
To check for backdoors and other 'listeners' - first port scan the machine, then install the software, then port scan again. If installing the software has opened any additional ports that weren't listening before, then investigate and beware. In terms of worms you could use a similar before-and-after approach but look for unauthorised transmitted packets with a packet sniffer.
The administrator has disabled public write access.

Re: Scan tools 12 years 2 months ago #4875

  • sjk
  • sjk's Avatar
  • Offline
  • New Member
  • Posts: 8
  • Karma: 0
Thanks for the reply bishop.

I could understand about the port scan but could u please explain little bit more if you can on the steps for worms where I have to look for unauthorised transmitted packets -what does this exactly mean.

In the case of port scan I can find which port is open after installation and investigate for the specific ports but for worms what does unauthorised transmitted packets mean or how will I find out.

Thanks.
Regards,
Satish
The administrator has disabled public write access.

Re: Scan tools 12 years 2 months ago #4879

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Here's something interesting.. okay basically a lot of people use the approach that TheBishop has mentioned, which will find whether the binary has left an open port on your system.. however in todays world of reverse connect and portknocking (yummy) this will not tell you much..

What I suggest you do is this.

1.Sandbox the binary in VMWare or a machine on an isolated network segment.

2. Start a packet capture in ethereal or sniffer of choice. Make sure there is no other traffic on this network segment at the time.

3. Start TCPView www.sysinternals.com

4. Install Zonealarm personal firewall (the free one will do)

5. Run your binary and use it as you would normally


If it is trying to access the network, Zonealarm will popup a box saying so. Make a note of the alert, and select ALLOW. Now look in TCPView, you should see the process and either an open port (LISTENING) or a connection (SYN SENT / ESTABLISHED etc). If there is an outbound connection, make a note of the IP it is going to.

Finally, stop the application through the proper shutdown routine. Now switch off your packet capture utility (which should have been running on a separate system for best results -- beware of sniffing in a switched environment). Go through the traffic that you have captured and see whether there is anything you need to know about.

This will cover the network side of things, getting into the rest of the binary analysis is much more complicated.. and should not strictly be necessary.

Of course this doesn't prove there are no backdoors in the application, they could be time / condition triggered.. and you haven't got the right conditions or time.

If it is a really major application and the implementation is critical, pay a proper application security company.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: Scan tools 12 years 2 months ago #4881

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
If you are going with the portscan approach, remember to scan both TCP AND UDP ports.

Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: Scan tools 12 years 2 months ago #4888

  • sjk
  • sjk's Avatar
  • Offline
  • New Member
  • Posts: 8
  • Karma: 0
Thanks for the reply and I will try out what you have mentioned.

Also does this procedure solve the worm's issue or that falls in the application layer ?

Also according to you there is no tool at present using which we can check if the application layer is OK for that we need to go for some profeesional service's right ?

Please let me know. Thanks.
The administrator has disabled public write access.
Time to create page: 0.082 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup