From clamav-users-bounces@lists.clamav.net  Fri Sep 16 20:48:03 2005
Return-Path: <clamav-users-bounces@lists.clamav.net>
X-Original-To: list@krisma.oltrelinux.com
Delivered-To: list@krisma.oltrelinux.com
Received: from aj.catt.com (aj.catt.com [64.18.103.6])
	by mail.oltrelinux.com (Postfix) with ESMTP id CB9D511AEB3
	for <list@krisma.oltrelinux.com>; Fri, 16 Sep 2005 20:48:01 +0200 (CEST)
Received: from aj.catt.com (localhost [127.0.0.1])
	by aj.catt.com (Postfix) with ESMTP id 69C9F15601C;
	Fri, 16 Sep 2005 14:47:36 -0400 (EDT)
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.207])
	by aj.catt.com (Postfix) with ESMTP id AB6DE15601C
	for <clamav-users@lists.clamav.net>;
	Fri, 16 Sep 2005 14:47:27 -0400 (EDT)
Received: by zproxy.gmail.com with SMTP id 4so644472nzn
	for <clamav-users@lists.clamav.net>;
	Fri, 16 Sep 2005 11:47:25 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=YLu9kr8jZR2JNVPg0g0DGyr+9gFfl+zcUR1KF2mOHoq70zRNzxHgmXQVNLdD9ROVgwIz6xlIQ6eLM+pQbXUhh+wz7JBoaalccPDFwkLg09Q9U8DZXUEyBnYjyvOD18arcWkBYWawft5PfUW5vKMYF9BH/TrYKJjcMbk8JkjSe0E=
Received: by 10.36.59.15 with SMTP id h15mr496276nza;
	Fri, 16 Sep 2005 11:47:25 -0700 (PDT)
Received: by 10.36.72.19 with HTTP; Fri, 16 Sep 2005 11:47:25 -0700 (PDT)
Message-ID: <80d7e40905091611473cf3f04c@mail.gmail.com>
Date: Fri, 16 Sep 2005 12:47:25 -0600
From: "Stephen J. Smoogen" <smooge@gmail.com>
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [Clamav-users] Spyware detection...
In-Reply-To: <20050916000649.63798.qmail@web50515.mail.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <Pine.GSO.4.62.0509121227510.26994@westnet.com>
	<20050916000649.63798.qmail@web50515.mail.yahoo.com>
X-BeenThere: clamav-users@lists.clamav.net
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
List-Id: ClamAV users ML <clamav-users.lists.clamav.net>
List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>,
	<mailto:clamav-users-request@lists.clamav.net?subject=unsubscribe>
List-Post: <mailto:clamav-users@lists.clamav.net>
List-Help: <mailto:clamav-users-request@lists.clamav.net?subject=help>
List-Subscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>,
	<mailto:clamav-users-request@lists.clamav.net?subject=subscribe>
Sender: clamav-users-bounces@lists.clamav.net
Errors-To: clamav-users-bounces@lists.clamav.net
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at krisma.oltrelinux.com
X-Spam-Status: No, hits=0.1 tagged_above=-999.0 required=6.0 tests=AWL,
	BAYES_50, RCVD_BY_IP
X-Spam-Level: 

On 9/15/05, Joanna Roman <joannaroman1207@yahoo.com> wrote:
>=20

>=20
> Whoever is about to submit the spywares, may I ask
> whether those spywares come in via port 80 or port 21
> ?
>=20
>=20

95% of the spyware I have dealt with sends out data from itself on one
of 3 channels:

1) 80/tcp
2) 443/tcp
3) 53/tcp or udp

The rest of it sends out data via some other port (8080, 6667, choose
something on the day).

Getting the spyware is usually done via port 80. Although the really
bad spyware which is mostly malware may get downloaded from port 443,
8080 or some random port on a compromised botnet. I have not seen much
FTP these days... but it was only about 100 or so tools I looked at,
and I know that is a small subset of some of this crap.
--=20
Stephen J Smoogen.
CSIRT/Linux System Administrator
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html