how to detect a spyware over http?
up vote
2
down vote
favorite
I am trying to detect a spyware on my pc by traffic analysis. I am connected to a vps (the sniffer) by a vpn and I am going to select all the sent data by the post method. Is this correct ? I mean the only way to send data out is through the POST method ? (leaving out CONNECT)
forensics spyware
asked Nov 11 at 1:17
MysticDog
284
add a comment |
up vote
2
down vote
favorite
I am trying to detect a spyware on my pc by traffic analysis. I am connected to a vps (the sniffer) by a vpn and I am going to select all the sent data by the post method. Is this correct ? I mean the only way to send data out is through the POST method ? (leaving out CONNECT)
forensics spyware
asked Nov 11 at 1:17
MysticDog
284
I recommend tracing the spyware back to where you first downloaded it. Have you recently downloaded a malicious file? They’re also a number of programs that can help you find and eliminate the spyware. I recommend taking a look at forest’s answer.
– CoderPE
Nov 11 at 1:39
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I am trying to detect a spyware on my pc by traffic analysis. I am connected to a vps (the sniffer) by a vpn and I am going to select all the sent data by the post method. Is this correct ? I mean the only way to send data out is through the POST method ? (leaving out CONNECT)
forensics spyware
asked Nov 11 at 1:17
MysticDog
284
I am trying to detect a spyware on my pc by traffic analysis. I am connected to a vps (the sniffer) by a vpn and I am going to select all the sent data by the post method. Is this correct ? I mean the only way to send data out is through the POST method ? (leaving out CONNECT)
forensics spyware
forensics spyware
asked Nov 11 at 1:17
MysticDog
284
asked Nov 11 at 1:17
MysticDog
284
asked Nov 11 at 1:17
MysticDog
284
asked Nov 11 at 1:17
MysticDog
284
asked Nov 11 at 1:17
MysticDog
284
284
I recommend tracing the spyware back to where you first downloaded it. Have you recently downloaded a malicious file? They’re also a number of programs that can help you find and eliminate the spyware. I recommend taking a look at forest’s answer.
– CoderPE
Nov 11 at 1:39
add a comment |
I recommend tracing the spyware back to where you first downloaded it. Have you recently downloaded a malicious file? They’re also a number of programs that can help you find and eliminate the spyware. I recommend taking a look at forest’s answer.
– CoderPE
Nov 11 at 1:39
I recommend tracing the spyware back to where you first downloaded it. Have you recently downloaded a malicious file? They’re also a number of programs that can help you find and eliminate the spyware. I recommend taking a look at forest’s answer.
– CoderPE
Nov 11 at 1:39
I recommend tracing the spyware back to where you first downloaded it. Have you recently downloaded a malicious file? They’re also a number of programs that can help you find and eliminate the spyware. I recommend taking a look at forest’s answer.
– CoderPE
Nov 11 at 1:39
add a comment |
2 Answers
2
active
oldest
votes
up vote
4
down vote
There are countless ways spyware can exfiltrate information, including, but not limited to:
HTTP using a method such as GET, POST, PUT, etc.
Raw TCP or UDP payload contents.
Hidden in TCP or even IP headers (e.g. smuggled in the URG pointer).
ICMP payload contents, which are normally hidden.
Checking for sensitive data sent over HTTP POST will not help you detect spyware as there are so many other ways to exfiltrate information from a compromised server. Unfortunately, you will need to know what you are looking for in order to detect spyware traffic. However, if the spyware is not particularly advanced, there are many operating system-specific tools that you can use which will tell you what processes are communicating with the network. This of course assumes that the spyware is not running as a privileged user, otherwise it could hide from any such tools.
answered Nov 11 at 1:31
forest
27.4k1384100
add a comment |
up vote
0
down vote
I mean the only way to send data out is through the POST method ? (leaving out CONNECT)
No. You can encode data in the URL as well. And maybe it doesn't even use HTTP.
You can also encode data in Cookies that are sent through a GET request. The idea that only POST is able to send data is a common misconception. HTML forms aren't even restricted to use POST; you can specify a method.
If it uses HTTP then your best shot is to look for HTTP requests that you didn't make.
Then scan through this list and check them because there's probably a lot of background software/services that do all sorts of HTTP requests as well (such as checking for available updates and whatnot).
answered Nov 11 at 11:22
mroman
48028
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
There are countless ways spyware can exfiltrate information, including, but not limited to:
HTTP using a method such as GET, POST, PUT, etc.
Raw TCP or UDP payload contents.
Hidden in TCP or even IP headers (e.g. smuggled in the URG pointer).
ICMP payload contents, which are normally hidden.
Checking for sensitive data sent over HTTP POST will not help you detect spyware as there are so many other ways to exfiltrate information from a compromised server. Unfortunately, you will need to know what you are looking for in order to detect spyware traffic. However, if the spyware is not particularly advanced, there are many operating system-specific tools that you can use which will tell you what processes are communicating with the network. This of course assumes that the spyware is not running as a privileged user, otherwise it could hide from any such tools.
answered Nov 11 at 1:31
forest
27.4k1384100
add a comment |
up vote
4
down vote
There are countless ways spyware can exfiltrate information, including, but not limited to:
HTTP using a method such as GET, POST, PUT, etc.
Raw TCP or UDP payload contents.
Hidden in TCP or even IP headers (e.g. smuggled in the URG pointer).
ICMP payload contents, which are normally hidden.
Checking for sensitive data sent over HTTP POST will not help you detect spyware as there are so many other ways to exfiltrate information from a compromised server. Unfortunately, you will need to know what you are looking for in order to detect spyware traffic. However, if the spyware is not particularly advanced, there are many operating system-specific tools that you can use which will tell you what processes are communicating with the network. This of course assumes that the spyware is not running as a privileged user, otherwise it could hide from any such tools.
answered Nov 11 at 1:31
forest
27.4k1384100
add a comment |
up vote
4
down vote
up vote
4
down vote
There are countless ways spyware can exfiltrate information, including, but not limited to:
HTTP using a method such as GET, POST, PUT, etc.
Raw TCP or UDP payload contents.
Hidden in TCP or even IP headers (e.g. smuggled in the URG pointer).
ICMP payload contents, which are normally hidden.
Checking for sensitive data sent over HTTP POST will not help you detect spyware as there are so many other ways to exfiltrate information from a compromised server. Unfortunately, you will need to know what you are looking for in order to detect spyware traffic. However, if the spyware is not particularly advanced, there are many operating system-specific tools that you can use which will tell you what processes are communicating with the network. This of course assumes that the spyware is not running as a privileged user, otherwise it could hide from any such tools.
answered Nov 11 at 1:31
forest
27.4k1384100
There are countless ways spyware can exfiltrate information, including, but not limited to:
HTTP using a method such as GET, POST, PUT, etc.
Raw TCP or UDP payload contents.
Hidden in TCP or even IP headers (e.g. smuggled in the URG pointer).
ICMP payload contents, which are normally hidden.
Checking for sensitive data sent over HTTP POST will not help you detect spyware as there are so many other ways to exfiltrate information from a compromised server. Unfortunately, you will need to know what you are looking for in order to detect spyware traffic. However, if the spyware is not particularly advanced, there are many operating system-specific tools that you can use which will tell you what processes are communicating with the network. This of course assumes that the spyware is not running as a privileged user, otherwise it could hide from any such tools.
answered Nov 11 at 1:31
forest
27.4k1384100
answered Nov 11 at 1:31
forest
27.4k1384100
answered Nov 11 at 1:31
forest
27.4k1384100
answered Nov 11 at 1:31
forest
27.4k1384100
27.4k1384100
add a comment |
add a comment |
up vote
0
down vote
I mean the only way to send data out is through the POST method ? (leaving out CONNECT)
No. You can encode data in the URL as well. And maybe it doesn't even use HTTP.
You can also encode data in Cookies that are sent through a GET request. The idea that only POST is able to send data is a common misconception. HTML forms aren't even restricted to use POST; you can specify a method.
If it uses HTTP then your best shot is to look for HTTP requests that you didn't make.
Then scan through this list and check them because there's probably a lot of background software/services that do all sorts of HTTP requests as well (such as checking for available updates and whatnot).
answered Nov 11 at 11:22
mroman
48028
add a comment |
up vote
0
down vote
I mean the only way to send data out is through the POST method ? (leaving out CONNECT)
No. You can encode data in the URL as well. And maybe it doesn't even use HTTP.
You can also encode data in Cookies that are sent through a GET request. The idea that only POST is able to send data is a common misconception. HTML forms aren't even restricted to use POST; you can specify a method.
If it uses HTTP then your best shot is to look for HTTP requests that you didn't make.
Then scan through this list and check them because there's probably a lot of background software/services that do all sorts of HTTP requests as well (such as checking for available updates and whatnot).
answered Nov 11 at 11:22
mroman
48028
add a comment |
up vote
0
down vote
up vote
0
down vote
I mean the only way to send data out is through the POST method ? (leaving out CONNECT)
No. You can encode data in the URL as well. And maybe it doesn't even use HTTP.
You can also encode data in Cookies that are sent through a GET request. The idea that only POST is able to send data is a common misconception. HTML forms aren't even restricted to use POST; you can specify a method.
If it uses HTTP then your best shot is to look for HTTP requests that you didn't make.
Then scan through this list and check them because there's probably a lot of background software/services that do all sorts of HTTP requests as well (such as checking for available updates and whatnot).
answered Nov 11 at 11:22
mroman
48028
I mean the only way to send data out is through the POST method ? (leaving out CONNECT)
No. You can encode data in the URL as well. And maybe it doesn't even use HTTP.
You can also encode data in Cookies that are sent through a GET request. The idea that only POST is able to send data is a common misconception. HTML forms aren't even restricted to use POST; you can specify a method.
If it uses HTTP then your best shot is to look for HTTP requests that you didn't make.
Then scan through this list and check them because there's probably a lot of background software/services that do all sorts of HTTP requests as well (such as checking for available updates and whatnot).
answered Nov 11 at 11:22
mroman
48028
edited Nov 11 at 11:28
answered Nov 11 at 11:22
mroman
48028
answered Nov 11 at 11:22
mroman
48028
answered Nov 11 at 11:22
mroman
48028
48028
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197432%2fhow-to-detect-a-spyware-over-http%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I recommend tracing the spyware back to where you first downloaded it. Have you recently downloaded a malicious file? They’re also a number of programs that can help you find and eliminate the spyware. I recommend taking a look at forest’s answer.
– CoderPE
Nov 11 at 1:39