Trick to Identify the Malware Infection on Windows System | Infosecwithme Blog

These articles provide the basis information about how to identify the infection on the systems at first level. There are some basic levels IOC (Indicators of compromise) which can help to confirm malware infection.

Below are the methods/ways which help us to proceed for confirmation.

          1)Manual Method
  2)Using Sysinternals
3)Using Redline Tools (Mandiant)

Manual Method: 


  • In manual Method, we will use inbuilt utilities to confirm the status of infection like foreign connection from base OS, Unknown Processes running, system boot processes and application details from Msconfig and regedit. Learn step by step.


  • Before Proceeding important note: Malware/Trojan/Virus/Worm Developer write a code in such a way that they always tried to evade detection from anti-virus.


  • Initially they tried to hide once it dumped into the OS.


Unhide hidden files/Folders/Drives:


To view the hidden malicious binary kindly go open Windows Explorer  Tools Folder Options –Go to View Tab (refer below snap)

I.Uncheck below highlighted options to view hidden files/folders.
a.Hide empty drives in the Computer Folder
b.Hide Extensions for known file types
c.Hide protected operating system files (Recommended)
II.Select the “Show Hidden files, folders and drives” options.




1. Using Netstat:


Netstat is a common command line TCP/IP networking utility available in most versions of Windows, Linux, UNIX and other operating systems.

This command is useful to see the currently established connection with foreign IPs with port & protocol wise details.

State Details: 


  • ESTABLISHED: Indicate that Still connection/communication is live.

C:\>netstat –ano | findstr ESTABLISHED
  TCP    172.16.174.228:59011    172.129.4.10:443            ESTABLISHED     8116
  TCP    172.16.174.228:59025    172.66.15.20:39331       ESTABLISHED     8116
  TCP    172.16.174.228:59065    172.128.30.85:8000       ESTABLISHED     452
  TCP    172.16.174.228:59102    172.128.27.42:10123     ESTABLISHED     4892
  TCP    172.16.174.228:59158    172.77.4.16:58734          ESTABLISHED     160
  TCP    172.16.174.228:59179    172.137.12.41:445          ESTABLISHED     4
  TCP    172.16.174.228:59723    172.135.128.228:8080   ESTABLISHED     2220
  TCP    172.16.174.228:59736    172.66.24.17:443            ESTABLISHED     8116
  TCP    127.0.0.1:6129                  127.0.0.1:53398              ESTABLISHED     1532
  TCP    127.0.0.1:53398               127.0.0.1:6129                 ESTABLISHED     4064


  • LISTENING: Indicate that some service is running on listening ports or port may be opened for listening. This may ready to connect to the Server who hit on listening port.

C:\>netstat –ano | findstr LISTENING
  TCP    0.0.0.0:135           0.0.0.0:0              LISTENING       1056
  TCP    0.0.0.0:443             0.0.0.0:0              LISTENING       4080
  TCP    0.0.0.0:445             0.0.0.0:0              LISTENING       4
  TCP    172.16.77.174.228:139   0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:8307                  0.0.0.0:0              LISTENING       4080
  TCP    127.0.0.1:53507                0.0.0.0:0              LISTENING       6904
  TCP    192.168.56.1:139              0.0.0.0:0              LISTENING       4
  
          Here we will get information about current foreign connection. Help to analyse the incident.
I recommend you to use this commend first while analysing the incidents because, we can filter out the query for live traffic as per our requirement like live port communication/foreign IP communication/State/PID Value and Protocol

2.Tasklist:


  • This command is useful to see currently running processes on the server or remote server.

Syntax: TASKLIST [/S system [/U username [/P [password]]]] [/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH]
(For GUI: use task manager)





  • It will give you details about the currently running application/services so easy to track unknown processes. 

Note: You may require the basic knowledge about system running default processes + whitelisted application processes.

3.Task Manager:



  • It provides limited information about computer performance and running applications, processes and CPU usage, commit charge and memory information, network activity and statistics, logged-in users, and system services. The Task Manager can also be used to set process priorities, processor affinity, forcibly terminate processes, and shut down, restart, hibernate or log off from Windows.



  • The task list was capable of listing currently running processes and killing them, or creating a new process. 




4.Msconfig:


  • This utility we can use to see whether any unknown application is stucked at Start-up with Manufacturer details, command with full path of application, registry path.
  • If we observed unknown application directly uncheck it & go to folder path, try to remove the file manually (use AV scan to validate/remove it). 
  • Go to registry path to remove the entry of application or use Ccleaner application to clear unwanted Data from registry.


  • Advantage of this utility is to check the unknown process/services running.

          Tick the “HIDE ALL MICROSOFT SERVICES” SO ALL MS services will get hide. Analyse the remaining services are related to whitelisted application or not and trace the unknown process/Application running the services and uninstall it asap.
We can validate which service is required to run on system start-up.

5.Registry:


Easiest way to identify is to use registry path:

HKLM\Software\Microsoft\Windows NT\current Version\Run & \Runonce
Here you will get details about the application which are set to run itself when OS boot.

6.Common Path to Dump The Binary Files:


  • Whenever system get infected malicious binary file dump itself in windows file system. There is some common path where you can check for the same.

Like: %temp%, %Appdata%, system32 etc & Documents Folder.
          You may confirm the binary files is suspicious or not by uploading the same file on Virustotal.com /metascan.com site to confirm the status.

7.Scan With Anti-Virus: 

  • Kindly update the Av version and scan whole drive using FULL scan method.
  • It is recommended to use Full Version of AV, mostly tried to avoid cracked version as there is chances of infection from cracked version. Most of the hacker use this technique to infect the user systems.

8.Use Virus Total / Metascan:
     This is simplest and fast method to detect the binary files malicious status.
You may scan files (upload limit: Max 128 MB size)/URLs/IPs and HASH to check the status. Security Analyst using this site for first level analysis.




9.Use Sandboxie:

      Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.


  • It is useful when we find the file and need to understand the functionality or infection level, this tool is useful.
  • Most of the analyst use sandboxie to check the behaviour of malicious binary files.

Download URL: http://www.sandboxie.com/SandboxieInstall.exe

Using Sysinternals utility: 


10.Using Process Explorer to Identify Malware:


       Process Explorer is a free 1.47 MB download from the Windows Sysinternals web page on the TechNet site. Tool 

List: https://technet.microsoft.com/en-us/sysinternals/bb545027.aspx

Useful Links:

Hunt Down and Kill Malware with Sysinternals Tools (Part 1)
Hunt Down and Kill Malware with Sysinternals Tools (Part 2)
Hunt Down and Kill Malware with Sysinternals Tools (Part 3)
Video Demonstration: Malware Hunting with the Sysinternals Tools https://www.youtube.com/watch?v=Wuy_Pm3KaV8

Using Redline Tools (Mandiant):


          MANDIANT transforms how organizations detect, respond to, and contain security breaches. Through our commercial and free products, we equip front-line incident investigators with superlative tools and technologies that support them in providing a quick and effective response when organizations need it the most. 

Redline is MANDIANT’s free tool for investigating hosts for signs of malicious activity through memory and file analysis, and subsequently developing a threat assessment profile.
User Guide: https://dl.mandiant.com/EE/library/Redline1.11.1_UserGuide.pdf

Redline Features:

Rapid Triage
Reveals Hidden Malware
Guided Analysis

With Redline you can: 


  • Collect run processes, files, registry data, and memory images. 
  • View imported data, including narrowing and filtering results around a given timeframe using Redline’s TimeWrinkle™ and TimeCrunch™ features. 
  • Identify processes more likely worth investigating based on their Redline Malware Risk Index (MRI) score. 
  • Perform Indicators of Compromise (IOC) analysis. 
  • Use whitelists to filter out known valid data based on MD5 hash values.

Your Good comments Encourages me to keep posting Nice Articles so keep Commenting & Sharing

Trick to Identify the Malware Infection on Windows System | Infosecwithme Blog Trick to Identify the Malware Infection on Windows System | Infosecwithme Blog Reviewed by BlackHat on 8:33 PM Rating: 5

No comments:

Thanks for Valuable Comment. I will review and get back.



SastiPrice.com Store | India's One of Best Affiliate Store



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Cyber Security Learning E-Books



Powered by Blogger.