how to detect a spyware over http?









up vote
2
down vote

favorite
1












I am trying to detect a spyware on my pc by traffic analysis. I am connected to a vps (the sniffer) by a vpn and I am going to select all the sent data by the post method. Is this correct ? I mean the only way to send data out is through the POST method ? (leaving out CONNECT)










share|improve this question





















  • I recommend tracing the spyware back to where you first downloaded it. Have you recently downloaded a malicious file? They’re also a number of programs that can help you find and eliminate the spyware. I recommend taking a look at forest’s answer.
    – CoderPE
    Nov 11 at 1:39















up vote
2
down vote

favorite
1












I am trying to detect a spyware on my pc by traffic analysis. I am connected to a vps (the sniffer) by a vpn and I am going to select all the sent data by the post method. Is this correct ? I mean the only way to send data out is through the POST method ? (leaving out CONNECT)










share|improve this question





















  • I recommend tracing the spyware back to where you first downloaded it. Have you recently downloaded a malicious file? They’re also a number of programs that can help you find and eliminate the spyware. I recommend taking a look at forest’s answer.
    – CoderPE
    Nov 11 at 1:39













up vote
2
down vote

favorite
1









up vote
2
down vote

favorite
1






1





I am trying to detect a spyware on my pc by traffic analysis. I am connected to a vps (the sniffer) by a vpn and I am going to select all the sent data by the post method. Is this correct ? I mean the only way to send data out is through the POST method ? (leaving out CONNECT)










share|improve this question













I am trying to detect a spyware on my pc by traffic analysis. I am connected to a vps (the sniffer) by a vpn and I am going to select all the sent data by the post method. Is this correct ? I mean the only way to send data out is through the POST method ? (leaving out CONNECT)







forensics spyware






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 11 at 1:17









MysticDog

284




284











  • I recommend tracing the spyware back to where you first downloaded it. Have you recently downloaded a malicious file? They’re also a number of programs that can help you find and eliminate the spyware. I recommend taking a look at forest’s answer.
    – CoderPE
    Nov 11 at 1:39

















  • I recommend tracing the spyware back to where you first downloaded it. Have you recently downloaded a malicious file? They’re also a number of programs that can help you find and eliminate the spyware. I recommend taking a look at forest’s answer.
    – CoderPE
    Nov 11 at 1:39
















I recommend tracing the spyware back to where you first downloaded it. Have you recently downloaded a malicious file? They’re also a number of programs that can help you find and eliminate the spyware. I recommend taking a look at forest’s answer.
– CoderPE
Nov 11 at 1:39





I recommend tracing the spyware back to where you first downloaded it. Have you recently downloaded a malicious file? They’re also a number of programs that can help you find and eliminate the spyware. I recommend taking a look at forest’s answer.
– CoderPE
Nov 11 at 1:39











2 Answers
2






active

oldest

votes

















up vote
4
down vote













There are countless ways spyware can exfiltrate information, including, but not limited to:



  • HTTP using a method such as GET, POST, PUT, etc.


  • Raw TCP or UDP payload contents.


  • Hidden in TCP or even IP headers (e.g. smuggled in the URG pointer).


  • ICMP payload contents, which are normally hidden.


Checking for sensitive data sent over HTTP POST will not help you detect spyware as there are so many other ways to exfiltrate information from a compromised server. Unfortunately, you will need to know what you are looking for in order to detect spyware traffic. However, if the spyware is not particularly advanced, there are many operating system-specific tools that you can use which will tell you what processes are communicating with the network. This of course assumes that the spyware is not running as a privileged user, otherwise it could hide from any such tools.






share|improve this answer



























    up vote
    0
    down vote














    I mean the only way to send data out is through the POST method ? (leaving out CONNECT)




    No. You can encode data in the URL as well. And maybe it doesn't even use HTTP.
    You can also encode data in Cookies that are sent through a GET request. The idea that only POST is able to send data is a common misconception. HTML forms aren't even restricted to use POST; you can specify a method.



    If it uses HTTP then your best shot is to look for HTTP requests that you didn't make.
    Then scan through this list and check them because there's probably a lot of background software/services that do all sorts of HTTP requests as well (such as checking for available updates and whatnot).






    share|improve this answer






















      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "162"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197432%2fhow-to-detect-a-spyware-over-http%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      4
      down vote













      There are countless ways spyware can exfiltrate information, including, but not limited to:



      • HTTP using a method such as GET, POST, PUT, etc.


      • Raw TCP or UDP payload contents.


      • Hidden in TCP or even IP headers (e.g. smuggled in the URG pointer).


      • ICMP payload contents, which are normally hidden.


      Checking for sensitive data sent over HTTP POST will not help you detect spyware as there are so many other ways to exfiltrate information from a compromised server. Unfortunately, you will need to know what you are looking for in order to detect spyware traffic. However, if the spyware is not particularly advanced, there are many operating system-specific tools that you can use which will tell you what processes are communicating with the network. This of course assumes that the spyware is not running as a privileged user, otherwise it could hide from any such tools.






      share|improve this answer
























        up vote
        4
        down vote













        There are countless ways spyware can exfiltrate information, including, but not limited to:



        • HTTP using a method such as GET, POST, PUT, etc.


        • Raw TCP or UDP payload contents.


        • Hidden in TCP or even IP headers (e.g. smuggled in the URG pointer).


        • ICMP payload contents, which are normally hidden.


        Checking for sensitive data sent over HTTP POST will not help you detect spyware as there are so many other ways to exfiltrate information from a compromised server. Unfortunately, you will need to know what you are looking for in order to detect spyware traffic. However, if the spyware is not particularly advanced, there are many operating system-specific tools that you can use which will tell you what processes are communicating with the network. This of course assumes that the spyware is not running as a privileged user, otherwise it could hide from any such tools.






        share|improve this answer






















          up vote
          4
          down vote










          up vote
          4
          down vote









          There are countless ways spyware can exfiltrate information, including, but not limited to:



          • HTTP using a method such as GET, POST, PUT, etc.


          • Raw TCP or UDP payload contents.


          • Hidden in TCP or even IP headers (e.g. smuggled in the URG pointer).


          • ICMP payload contents, which are normally hidden.


          Checking for sensitive data sent over HTTP POST will not help you detect spyware as there are so many other ways to exfiltrate information from a compromised server. Unfortunately, you will need to know what you are looking for in order to detect spyware traffic. However, if the spyware is not particularly advanced, there are many operating system-specific tools that you can use which will tell you what processes are communicating with the network. This of course assumes that the spyware is not running as a privileged user, otherwise it could hide from any such tools.






          share|improve this answer












          There are countless ways spyware can exfiltrate information, including, but not limited to:



          • HTTP using a method such as GET, POST, PUT, etc.


          • Raw TCP or UDP payload contents.


          • Hidden in TCP or even IP headers (e.g. smuggled in the URG pointer).


          • ICMP payload contents, which are normally hidden.


          Checking for sensitive data sent over HTTP POST will not help you detect spyware as there are so many other ways to exfiltrate information from a compromised server. Unfortunately, you will need to know what you are looking for in order to detect spyware traffic. However, if the spyware is not particularly advanced, there are many operating system-specific tools that you can use which will tell you what processes are communicating with the network. This of course assumes that the spyware is not running as a privileged user, otherwise it could hide from any such tools.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 11 at 1:31









          forest

          27.4k1384100




          27.4k1384100






















              up vote
              0
              down vote














              I mean the only way to send data out is through the POST method ? (leaving out CONNECT)




              No. You can encode data in the URL as well. And maybe it doesn't even use HTTP.
              You can also encode data in Cookies that are sent through a GET request. The idea that only POST is able to send data is a common misconception. HTML forms aren't even restricted to use POST; you can specify a method.



              If it uses HTTP then your best shot is to look for HTTP requests that you didn't make.
              Then scan through this list and check them because there's probably a lot of background software/services that do all sorts of HTTP requests as well (such as checking for available updates and whatnot).






              share|improve this answer


























                up vote
                0
                down vote














                I mean the only way to send data out is through the POST method ? (leaving out CONNECT)




                No. You can encode data in the URL as well. And maybe it doesn't even use HTTP.
                You can also encode data in Cookies that are sent through a GET request. The idea that only POST is able to send data is a common misconception. HTML forms aren't even restricted to use POST; you can specify a method.



                If it uses HTTP then your best shot is to look for HTTP requests that you didn't make.
                Then scan through this list and check them because there's probably a lot of background software/services that do all sorts of HTTP requests as well (such as checking for available updates and whatnot).






                share|improve this answer
























                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote










                  I mean the only way to send data out is through the POST method ? (leaving out CONNECT)




                  No. You can encode data in the URL as well. And maybe it doesn't even use HTTP.
                  You can also encode data in Cookies that are sent through a GET request. The idea that only POST is able to send data is a common misconception. HTML forms aren't even restricted to use POST; you can specify a method.



                  If it uses HTTP then your best shot is to look for HTTP requests that you didn't make.
                  Then scan through this list and check them because there's probably a lot of background software/services that do all sorts of HTTP requests as well (such as checking for available updates and whatnot).






                  share|improve this answer















                  I mean the only way to send data out is through the POST method ? (leaving out CONNECT)




                  No. You can encode data in the URL as well. And maybe it doesn't even use HTTP.
                  You can also encode data in Cookies that are sent through a GET request. The idea that only POST is able to send data is a common misconception. HTML forms aren't even restricted to use POST; you can specify a method.



                  If it uses HTTP then your best shot is to look for HTTP requests that you didn't make.
                  Then scan through this list and check them because there's probably a lot of background software/services that do all sorts of HTTP requests as well (such as checking for available updates and whatnot).







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Nov 11 at 11:28

























                  answered Nov 11 at 11:22









                  mroman

                  48028




                  48028



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197432%2fhow-to-detect-a-spyware-over-http%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      這個網誌中的熱門文章

                      How to read a connectionString WITH PROVIDER in .NET Core?

                      Node.js Script on GitHub Pages or Amazon S3

                      Museum of Modern and Contemporary Art of Trento and Rovereto