Avast WEBforum
Other => General Topics => Topic started by: polonus on November 05, 2007, 06:53:41 PM
-
Hi malware fighters,
Dns-atacks and malware via poisoned arp-attack are a growing threat.
Read: http://www.cisrt.org/enblog/read.php?189
polonus
-
I have defenses against this.
-
I have defenses against this.
This is actually a very empty statement since you're not listing those defenses. IMHO :)
-
I have defenses against this.
This is actually a very empty statement since you're not listing those defenses. IMHO :)
I've written a couple of thousand of words on this elsewhere so excuse me if i'm a bit tired of writing it down again.
But i'm more curious about what the rest of you do specifically against this...
-
I've written a couple of thousand of words on this elsewhere so excuse me if i'm a bit tired of writing it down again.
Repeating it here isn't necessary but a link to the original post you made would be helpful.
-
Hi bob3160,
There are programs also for Windows to detect this. Another elegant method could be this.
The final conclusion is that the best way to find injected code was to compare a suspicious document with a known-good document. Of course, the problem is finding a known-good doc to compare to but, with a bit of thought, you could come up with an additional insight -- an attacker couldn't inject a payload into a doc downloaded over SSL. So, I think the following would work nicely:
* wget http://www.microsoft.com/default.aspx (possibly not the _best_ test page, but it'll do for our example)
* wget https://www.microsoft.com/default.aspx
* Diff the two documents and look for obviously injected code.
Unfortunately, the two copies of default.aspx, in this example, will have minor differences but nothing so obvious as an <iframe> pointing somewhere else.
polonus
-
Hi bob3160,
There are programs also for Windows to detect this.
And you don't tell us what these are??
Watch out, Bob3160 is coming to bite your head off for teasing us... :D
PS For the record i was referring to these programs...