Please help me Design a Spyware Test

[Tryska]

here's the deal - i've done my own testing, and narrowed it down to a couple of enterprise anti-spyware apps.


Now i need to test it on my live network, with my coworker's pcs.


But my department head is asking for real-live testing methodology.


Any tips on how to design this test so we can get some good data from it?

thanks in advance!

[Soda_Popinsky]

Do a little bit of risk assessment and test on machines that won't break your network or business flow if something goes terribly wrong (i.e. if these computers all of a sudden didn't show up for work, things can still work)

If that works out, and your more important machines in operations have much different policies and/or software, test out on a small group there and try to pick a group that isn't mission critical if possible. It stinks that you don't have a testing enviroment, but most biz doesn't.

[Tryska]

hee hee. You mean IT shouldn't be my test environment?

that's just crazy talk.


i'll be rolling out to 3 or 4 of my coworkers. What i really need to ask my boss is if we want to break our machines by doing drivebys on dangerous sites, or just have it run in the background to know nothing will explode.

about the only difference between IT and genpop is that we're running XP SP2. i wonder how much of a difference that would make.

[zencoder]

It sounds like your manager wants a Pilot test plan. Soda's right, you really need a sandbox test environment to do the hard crunching on, and usually these are pipe dreams, or they are cobbled together from the dregs of the trash heap.

But if he wants a test methodology for a Limited Production deployment, that's oftern referred to as a pilot test phase. Has he given you requirements? Are you supposed to actively attack these systems once they are deployed with the new solution? Usually, in a pilot program we deploy and allow the testers to use the systems normally with no active intervention or action. But we've already done the serious attacking and 'proof of concept' in the lab. The pilot is more of an end user integration test...will they break it, how, when, etc.

[Tryska]

excellent zencoder....that's what i'm gettign at.

I've already done my sandboxing on errr...."the dregs of the trash heap" *lol*. I've hit it hard, and the 2 i've got came out on top (CA and SpySubtract)


I'd prefer a passive test, but i really should check with my boss and see what she wants.

i'm sure my fellow geeks will try to break it on their own. but that's all well and good.

[zencoder]

Good deal, glad that helped. Make sure you get specific requirements from her. What she wants to see from it, how long it should take, how many users and what sort (often times, pilots are restricted to technically astute users that aren't in the IT department, or IT employees only, etc.) If you need help formulating this into a structure, lemme know.

Yes, trash heap indeed. I describe mine as the scene inside the Jawa sand crawler from Star Wars. Wires, actuators, piles of fab board everywhere. Yet somehow, a functioning system emerges from that pile.

[Tryska]

I actually just spoke with her about it.


Basically she wants to do a 2 week run, with just the IT staff before we make a consensual decision on which app to go with, if either of them.

the first week is passive, and the second week, the guinea pigs can try to break it if they feel comfortable and time permitting.

i'm going to use my current "server" as the test server and join it to the domain.

i would appreciate any help you can give formulating this into a structure. I need to creat a methodology, but i've never really done it before, and that one link i forwarded to ya in the other thread we spoke about this stuff doesn't help much in what i'm trying to do here.

[Tryska]

Okay. So I need a little help figuring out the best websites for getting infected but not with anything too virulent.


During my personal testing phase i downloaded Kazaa, Grokster, and surfed to iowrestling.com


I need some new sites that have fresh spyware so that we can get some more diverse results.

Anyone have any ideas?

[ric-o]

Tryska:

Hello. I did some spyware testing of my own on a Windows 2000 Pro workstation using a config I built up using multiple tools and can offer some ideas.

Methodology
Visit websites that are known to contain spyware. Then take system offline and scan for malware.

Spyware Sites:
* I went to a bunch of common spyware sites that we found our PCs at work infected with. Note: I just went to these sites, I didn't install any of the toolbars or software they offer so I was just testing for drive-bys. One exception is Bargain Buddy toolbar: I did install it and boy was it a nasty one to get rid of. Good news is that my config at least crippled it so it was mostly benign. Sites I went to include (note dash added to keep forum from making it a URL hotlink so people dont accidently click on them):

bargain-buddy.net (Bargain Buddy)
-www.1800solutions.com
roings.com
coolwebsearch.com
lop.com
123greetings.com
-www.whenu.com, web.whenu.com
internet-optimizer.com
-www.purityscan.com
isearchtech.com (ISTbar)
-www.dealhelper.com
213.86.53.230
216.74.27.24
64.125.97.10
couple others I cant remember

* Another great reference is the Watchers List by an anti-spyware advocate called WebHelper. Get the list and start going to these IPs and sites, there are TONS: http://www.webhelper4u.com/watcher/t...erlistold.html

Scanning for Infection:
* Booted up with Knoppix Live Linux CD; shared out hard drive; scanned with virus scanner, trojan hunter (TDS3).

* Booted up into Safe Mode and scan using spyware detection tools: Spybot S&D, Ad-aware SE Personal, Counter Spy by Sunbelt Software, Spy Sweeper by Webroot

Let me know if need any other info or have questions.

[XTC46]

wow...that list above is great. Ive been looking for more sites ot use to trash comps so I can test new products.