• ethical disclosure
  
• a tale of two log files part 1
  
• a tale of two log files part 2
  
• a tale of two log files part 3
  
• a tale of two log files final
  

• investigating malware in action
  
• investigating malware in action cont
  
• quick and dirty pgp setup for w32
  
• how to: sign a certificate request with openssl
  
• application fuzzing
  

• central secure logging in a win2k environment
  
• central secure logging in a win2k environment cont
  
• central secure logging in a win2k environment cont 2
  
• central secure logging in a win2k environment cont 3
  
• central secure logging in a win2k environment cont 4
  

• example forensics sop/procedure
  
• example forensics sop/procedure cont
  
• example forensics sop/procedure cont 2
  
• buffer overflows part one
  
• buffer overflows part two
  

• computertutorials
  
• computertutorials2
  
• securitytutorials
  
• computertutorials3
  
• computertutorials4
  
• securitytutorials2
  
• securitytutorials3
  
• securitytutorials5
  

INVESTIGATING MALWARE IN ACTION

Tiger Shark from Antionline has kindly given his permission for his tutorial to be hosted at The Taz.

You can find the original post here:
http://www.antionline.com/showthread.php?s=&threadid=267069

Enjoy

Have you ever wanted to _really_ know what is going on inside your computer? Ever wondered _exactly_ what that suspicious file will do to your computer when you click on it? Maybe you are suspicious about a particular web site and what it does when connected to. Or, maybe, you are doing a forensic investigation and want to watch what activity is taking place when the system is running. There are five tools, all available from www.sysinternals.com, that will allow you to do just this. SysInternals has versions for Win9X/ME and for NT based systems, (the Win9X versions do not have a Process Monitor. For the purpose of this tutorial I will be using the NT based versions.

The Computer:-

Windows 2000, SP4, fully patched. All uneccesary applications closed down to simplify the output.

The Tools:-

1. Regmon: Registry Monitor - Monitors all access to the computer's registry. (NOTE:- This has a handy "Log Boot" feature to help you track down registry changes by spyware at start-up which may help give you a clue as to how the spyware is working and thus give you an opportunity to defeat it).

2. TDIMon: Transport Driver Interface Monitor - Monitors all TCP and UDP connections to and from the computer.

3. FileMon: File Monitor - Monitors all file system activity.

4. NTPMon: NT Process Monitor - Monitors all process activity.

5. Autoruns: Lists all the automatically starting services and applications and the locations from which they are initiated.

Pre-Preparation:-

Login an as an administrator of the machine since these tools require administrative access. Back up the registry in case the program removes registry entries. Start Regmon and Filemon and filter out the above four applications activity to simplify the output. This filtering will be saved for the next time you start these two apps. Have your suspicious file in place ready to activate or the web site bookmarked and ready to be connected to. For the sake of simplicity have the computer set with everything already running because these tools have voluminous output so the more you can avoid capturing the better. If you are about to test a suspicious file or a web site use Autoruns to take a "snapshot" of the current start-up items on the computer and save the output to a safe place, (floppy, key fob or network drive and disconnect or write protect). Prior to saving Autoruns' output you need to use the file-view menu and select the following items:-

1. Show AppInit DLL's
2. Show Explorer Addons
3. Show Services
4. Show Winlogon Notifications
5. Show Winsock Providers
6. Verify Code Signatures
7. Include Empty Locations
8. Refresh (to refresh the information).

Then save the data.

Start the four applications and, again, for the sake of simplicity, stop captures and set yourself up to activate the item to be tested. The application I will use for this tutorial is an anonymizer called Tor, (http://tor.eff.org/cvs/tor/doc/tor-doc-win32.html), because I know it will install itself, create an autostart and contact the internet. This should show us good activity on all the tools making it a good demonstration.

Start the capture or clear any existing items in the tools and click on the suspect item and follow the prompts if any until completion, (in this case I told it to make Tor run at startup). As soon as the installer completes running and Tor runs itself I stopped the capture on all four applications and saved the data to files in a protected location. In reality you should probably leave them running for a few minutes before stopping the capture in case anything important occurs on a delayed schedule, (like after a download has completed there may be a further installation, reconnection to the internet etc.).

The Analysis:-

We'll start with the easy one first since it contains the least data. You will notice that some of the file sizes are quite large and is an interesting view into the complexity of your computer. (Filemon.log - 410kb, Process.prc - 2kb, Regmon.log - 1028kb, TDImon.log - 13kb).

Process.prc

325 0 explorer.exe Process Create tor-0.0.9.5-win 6.546750
326 0 tor-0.0.9.5-win Thread Create TID: 336 0.000000
327 0 explorer.exe Thread Delete TID: 284 1.703092
328 0 tor-0.0.9.5-win Thread Create TID: 284 1.265601
329 0 tor-0.0.9.5-win Thread Create TID: 324 0.140622
330 0 tor-0.0.9.5-win Thread Create TID: 1332 0.015625
331 0 System Thread Create TID: 876 0.000000
332 0 System Thread Create TID: 428 0.000000
333 0 WINLOGON.EXE Thread Create TID: 748 0.000000
334 0 WINLOGON.EXE Thread Delete TID: 748 1.109353
335 0 System Thread Delete TID: 428 0.015625
336 0 System Thread Delete TID: 876 0.000000
337 0 tor-0.0.9.5-win Process Create tor.exe 1.859339
338 0 tor.exe Thread Create TID: 876 0.000000
339 0 tor-0.0.9.5-win Thread Delete TID: 284 0.015625
340 0 tor-0.0.9.5-win Thread Delete TID: 324 0.062499
341 0 tor-0.0.9.5-win Thread Delete TID: 1332 0.000000
342 0 tor-0.0.9.5-win Thread Delete TID: 336 0.000000
343 0 explorer.exe Process Delete tor-0.0.9.5-win 0.000000
344 0 tor.exe Thread Create TID: 336 0.171872
345 0 tor.exe Thread Create TID: 324 0.000000
346 0 SERVICES.EXE Thread Create TID: 1332 0.078123
347 0 tor.exe Thread Create TID: 284 0.749986

As can be seen, the act of clicking the executable causes explorer.exe to spawn a process for it, (tor-0.0.9.5-win.exe), in #325. The executable then creates 4 threads within that process in #326/8/9 and 330. The next important entries begin at #337 where the installer starts the application itself, (process create). Now Tor.exe is running the installer closes it's threads it started, (thread delete #339-342), and, as it closes itself, explorer.exe kills the process, (process delete #343). Now Tor is running it creates it's own threads in #338, 344, 345 and 347 while services.exe registers the process in 346.

From the output of this tool you can see what exactly happens in terms of running programs and threads when the installer executes. The programs the installer runs may be hidden from your view but this output shows you they are there. More importantly, some applications hide threads in another program's process. The output here would show you Thread ID's, (TID's), being started and a program such as ProcExp, (Process Explorer by Sysinternals), would let you track the threads down by TID and see which processes are being subverted. 

Original Tutorial Submitted by nokia for TheTAZZone-TAZForum

Originally posted on March 4th, 2006 here

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post...we do not sell, publish, transmit, or have the right to give permission for such...TheTAZZone merely retains the right to use, retain, and publish submitted work within it's Network.