|
Thursday, 10 November 2005 |
|
As a part of my job I monitor the ResNet of a university for drones (trojan infections that 'phone home' somewhere allowing a cracker control of the infected system).
I created a tool today to convert a list of domain names which known trojans phone home to, to snort rules which alert on the DNS query. The generated rules are not a guarantee of infection (there are ways to trick people into resolving a trojans phone home address), however they work well as a sign to watch for evil traffic from a network host.
|
