Hand Tools for unraveling unknown infections.
Posted 16 July 2005 - 09:15 AM
It helps to have a knowledge of all the places ITDs can hide, and to have some tools that will look in those places (in addition to HijackThis).
And it helps to have a few tools that can reach into the cracks where you found them hiding and pluck them out.
Then you need some strategies to use them...
Here are some which have helped me in the past. Do you have any other tools/techniques to share?
Posted 16 July 2005 - 09:46 AM
First, the ITD probably is running one or more processes. Sometimes they hide under the cloak of another process like SVCHOST or CSRSS or WINLOGON or as a BHO under IE.
(And there are other places I don't know about, but that's a horror story for another thread. PE won't show them all, except as threads which are most difficult to match to actual code without a debugger and symbols...)
PE has a "Suspend" feature that can freeze processes. When two processes are monitoring each other and restarting thier mate when it's killed, suspending both will let you kill each in turn without the other getting a chance to repair things.
You can easily Google a process -- right click and see what the WWW knows about it.
The properties page will tell for services what services each copy of SVCHOST is running.
You can verify the module againt the security catalog to see that it's the original unadultered (Microsoft) shipped file.
The properties page will also search a process for character strings which might suggest something when you review them.
TCP ports and performance history are on the properties page too, as well as a list of threads.
The resource listing for each process (lower window) can sometimes give a hint from a file or mutex name.
PE will search for handles or DLLs by partial name and allow you to easily kill these open handles. (Killing all the handles will generally allow you to delete something that is "in use", meaing Windows won't let you delete/rename it because other task(s) have it open.)
When Explorer is broke, I've used PE as a new shell (HKLM/Software/Microsoft/Windows NT/Current Version/WinLogon "Shell"). You won't have a desktop, but there are "RUN" and "Shutdown" commands on the PE menus that can let you get started doing real work.
Running "explorer" in this environment doesn't start the desktop but opens an explorer window. I've had occassions where the desktop was broke, but the window worked and this is the technique I used to get past the broken desktop.
(You can edit the registry of a broken machine by moving the hard disk to another machine and loading the register as a new hive in the working machine's registry.)
Edited by HiTechHiTouch, 16 July 2005 - 10:39 AM.
Posted 16 July 2005 - 09:52 AM
AutoRuns can also delete or inactive entries, similar to MSConfig. However, some times it's either apparently not be able to, or the ITD slammed the entry back in as soon as AutoRuns removed it...
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor (A starting list of auto-run locations was obtained from David Solomon's "Windows Internals" seminar), shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.
Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.
Posted 16 July 2005 - 09:59 AM
There are realtime monitors that watch actual I/O. I've set filers to watch particular keys (like startup entries) to catch the module/process which was adding the one that started an ITD. If you know who did the damage, you can disable it and trace it's contacts. Same for when a file is loaded (attached) by a running process.
Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. This advanced utility takes you one step beyond what static Registry tools can do, to let you see and understand exactly how programs use the Registry. With static tools you might be able to see what Registry values and keys changed. With Regmon you'll see how the values and keys changed.
FileMon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. FileMon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters.
Posted 16 July 2005 - 10:02 AM
One in a while I need a command line tool, like when I running in safe mode command prompt. Note these are NT/2K/XP only.
The Windows NT and Windows 2000 Resource Kits come with a number of command line tools that help you administer your Windows NT/2K systems. Over time, I've grown a collection of similar tools, including some not included in the Resource Kits. What sets these tools apart is that they all allow you to manage remote systems as well as the local one. The first tool in the suite was PsList, a tool that lets you view detailed information about processes, and the suite is continually growing. The "Ps" prefix in PsList relates to the fact that the standard UNIX process listing command-line tool is named "ps", so I've adopted this prefix for all the tools in order to tie them together into a suite of tools named PsTools.
Note: some anti-virus scanners report that one or more of the tools are infected with a "remote admin" virus. None of the PsTools contain viruses, but they have been used by viruses, which is why they trigger virus notifications.
The tools included in the PsTools suite, which are downloadable individually or as a package, are:
* PsExec - execute processes remotely
* PsFile - shows files opened remotely
* PsGetSid - display the SID of a computer or a user
* PsKill - kill processes by name or process ID
* PsInfo - list information about a system
* PsList - list detailed information about processes
* PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)
* PsLogList - dump event log records
* PsPasswd - changes account passwords
* PsService - view and control services
* PsShutdown - shuts down and optionally reboots a computer
* PsSuspend - suspends processes
* PsUptime - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo)
All of the utilities in the PsTools suite work on Windows NT, Windows 2000, Windows XP and Windows Server 2003. The PsTools download package includes an HTML help file with complete usage information for all the tools.
Posted 16 July 2005 - 10:20 AM
IceSward http://xfocus.net/to...00505/1032.html (chineese)
A rootkit virtualizes or puts a shell around the operating system. Intercepting all requests of the system, it edits the system's responses. For example, if you ask for a list of files, a rootkit can make sure the list returned is missing those associated with an ITD, thus rendering it "invisable".
Rootkits can be beaten (sometimes) by low level utilties which directly read the disk or memory to directly present the information. A list of these utilities would be a great subject....
Rootkit revealer work in this method. They make many different calls to the OS and verify the results against a direct reference of the OS data itself. If there is a discrepency, a root kit may be altering the OS response (or things may have just changed dynamically, such a files being added or deleted).
As you might expect, there is a cat & mouse game between the rootkit writers and rootkit revealers. As of July 2005, IceSword -- chineese only -- just triumphed over Hacker Defender (HxDef). An iteresting article by Brian Lvingston about IceSword is IceSword Author Speaks Out On 'Rootkits'
If the normal tools just can't see something you know ought to be there, try loooking for a rootkit.
Posted 16 July 2005 - 10:35 AM
I can't find the author's site, but here is a download link Pocket Killbox via Bleepingcomputer.com.
1) kill a process and when killing the process, end the explorer shell while killing it.
2) delete (or replace) a file, or delete a directory or directory tree now or on reboot. DLLs can be unregistered before they are deleted. A file can be replaced with a dummy process, so that if an ITD doesn't look too closely, it won't notice that part of it has be defanged.
It also has a couple of nicities, like a direct open of the SessionManager key, deleting temp files, opening the HOST file or the Services console.
Posted 16 July 2005 - 10:43 AM
In NT/2K/XP, a handy trick is to set the permissions on a object (file) to everyone/deny so that the IDT can't access it. Ocassionally there has been a stubborn exe file that was always being loaded -- I could not figure out who was doing the load. But when I set permissions to "deny" then the IDT couldn't start it executing.
I also turned on security auditing (failures) to find out more about who was trying to access it after I set the deny permissions.
If you have an XP Home system, boot up in safe mode and the security tab will become visable.
Posted 16 July 2005 - 10:52 AM
Sometimes, getting the cleaners installed can be a b-i-t-c-h because you can only get up in safe mode, but MSI won't run in safe mode. This is because it needs the MSISERVER service to be active, and safe mode won't let it start.
The list of allowed safe mode services is kept in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot in two subkeys Minimal and Network.
I add a subkey to the Network key of MSIServer with the default value set to "Service"
Windows Registry Editor Version 4.00
Then I come up in Safe Mode with Networking, and install Counterspy or MS Antivirus, etc.
I'd also like to install AVG Free edition, but the AVG installer seems to install a temporary service, use it, and delete it. I don't know the name of the temporary service to add to the list. Do you?
Posted 16 July 2005 - 12:27 PM
You may want to consider joining Boot Camp and becoming a Helper if you are interested in fighting malware...
Helpful link: SpywareBlaster...
MS MVP 2006 and ASAP Member since 2004
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"