427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet100/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   96   97   98   99   100   101   102   103   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
118
Chapter 4 • Common Botnets
427_Bot_ch04.qxt 1/9/07 3:03 PM Page 118

Signs of Compromise
If you believe that your computer could be infected with Spybot, there are a
few clues you can look for to verify your suspicions.
System Folder
Spybot will place a copy of itself in the %System% folder (typically
C:\Windows\System32). Common filenames used by Spybot include:

Bling.exe

Netwmon.exe

Wuamgrd.exe
Registry Entries
Depending on the variant, Spybot could make a broad range of potential reg-
istry entries.The following are some examples of common registry modifica-
tions found with Spybot variants.
Spybot could add a value to create a shared folder on the Kazaa P2P net-
work, such as:

Value: “dir0” = “012345:[CONFIGURABLE PATH]”

Registry Key: HKEY_CURRENT_USER\SOFTWARE\
KAZAA\LocalContent
Spybot adds an entry to ensure tha it is started automatically when
Windows starts, such as:

Value:This varies, but it will be something like “Microsoft Update” =
“wuamgrd.exe”.

Registry keys: Entry made to one or more of the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunOnce
www.syngress.com
Common Botnets • Chapter 4
119
427_Bot_ch04.qxt 1/9/07 3:03 PM Page 119

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Shell Extensions
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE
Spybot may modify the following registry key to enable or disable
DCOM:

Value: “EnableDCOM” = “Y” (or “N”)

Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\OLE
Spybot may modify the following registry key to restrict network access:

Value: “restrictanonymous” = “1”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
Spybot may modify the following registry key to disable specific services:

Value: “Start” = “4”

Registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\TlntSvr

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   96   97   98   99   100   101   102   103   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish