Scan tools

Hi ,

Does anyone know of any tool which could scan a computer and tell if there are any backdoors, worms, tunnels, etc once a software or a component is installed.

The main reason for asking this is we have a software component which is developed in VB and we would like to check if it creates any backdoors, worms etc on the installed machine or what would be the way to be sure that this component does not turn out to be vulnerable.

Please let me know.

Regards,
Satish

I don't know of a single utility that will guarantee to do this, but you could use a manual approach.
To check for backdoors and other 'listeners' - first port scan the machine, then install the software, then port scan again. If installing the software has opened any additional ports that weren't listening before, then investigate and beware. In terms of worms you could use a similar before-and-after approach but look for unauthorised transmitted packets with a packet sniffer.

Thanks for the reply bishop.

I could understand about the port scan but could u please explain little bit more if you can on the steps for worms where I have to look for unauthorised transmitted packets -what does this exactly mean.

In the case of port scan I can find which port is open after installation and investigate for the specific ports but for worms what does unauthorised transmitted packets mean or how will I find out.

Thanks.
Regards,
Satish

Here's something interesting.. okay basically a lot of people use the approach that TheBishop has mentioned, which will find whether the binary has left an open port on your system.. however in todays world of reverse connect and portknocking (yummy) this will not tell you much..

What I suggest you do is this.

1.Sandbox the binary in VMWare or a machine on an isolated network segment.

2. Start a packet capture in ethereal or sniffer of choice. Make sure there is no other traffic on this network segment at the time.

3. Start TCPView www.sysinternals.com

4. Install Zonealarm personal firewall (the free one will do)

5. Run your binary and use it as you would normally


If it is trying to access the network, Zonealarm will popup a box saying so. Make a note of the alert, and select ALLOW. Now look in TCPView, you should see the process and either an open port (LISTENING) or a connection (SYN SENT / ESTABLISHED etc). If there is an outbound connection, make a note of the IP it is going to.

Finally, stop the application through the proper shutdown routine. Now switch off your packet capture utility (which should have been running on a separate system for best results -- beware of sniffing in a switched environment). Go through the traffic that you have captured and see whether there is anything you need to know about.

This will cover the network side of things, getting into the rest of the binary analysis is much more complicated.. and should not strictly be necessary.

Of course this doesn't prove there are no backdoors in the application, they could be time / condition triggered.. and you haven't got the right conditions or time.

If it is a really major application and the implementation is critical, pay a proper application security company.

If you are going with the portscan approach, remember to scan both TCP AND UDP ports.

Cheers,

Thanks for the reply and I will try out what you have mentioned.

Also does this procedure solve the worm's issue or that falls in the application layer ?

Also according to you there is no tool at present using which we can check if the application layer is OK for that we need to go for some profeesional service's right ?

Please let me know. Thanks.